Getting Law Enforcement Action for a Large-Scale Hack?

HeelToe asks: "Two nights ago, I sat down to do a few chores with finance websites and check my mail. To check my mail, I use an ssh connection and read it via mutt. I had already hit Slashdot for my semi-hourly dose of content, but then noticed my ssh client complaining about a difference between its cached copy of the server key and the server key presented, so I started investigation. After figuring out what was going on, I contacted the tech support line for my service provider (Charter Communications) to no avail, as well as the FBI and NIPC, again, both to no avail. There are all these laws and all this hype about enforcing these computer crime laws - what must an end user do to get some enforcement done? Read on for more, much more..." Update: 06/21 19:13 GMT by C :As it turns out, the issue wasn't a hack at Charter but a particularly nasty form of Spyware. Stll, the question is valid, and some of the suggestions already given, have been real informative. Keep 'em coming!

"So I determined that I was connecting to xxx.p5115.tdko.com instead of xxx. I started looking at dns settings. Of course, under Windows, the default is to accept the default dns domain specified by a DHCP server for the PC's ethernet connection. There are settings to disable this, but I hadn't thought about it until now. It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47).

On these IPs were some phantom services. There were proxying web servers (presumably collecting cookies and username/password combos), as well as an ssh server where the perpetrators were most likely hoping people would simply say 'yes' to the key differences and enter in their username/password.

Has anyone else seen this type of attack before? Pretty sneaky. I bet it would slip by most people that don't use anything but a web browser. This makes me want to step up my plans to put an OpenBSD firewall in place and allow it as little trust of the outside world as possible, providing more trusted DNS/DHCP services to the hosts on my network. It would be nicer to be able to boot the thing self-contained-and-configured off read-only media and have no writable access to anything from the operating system to totally prevent break-in/tampering.

With respect to the law enforcement issues. I first called Charter, and after 10 minutes on hold was told to submit a report to their abuse account. I asked the tech support rep if they really wanted me submitting the incident report through a hijacked proxying web server. I hadn't yet reconfigured my Windows systems because I wanted to collect as much information as possible while the attack was still live. The long and short from the tech support rep was they'd look at it, but couldn't do anything with respect to responding to me about it unless I submitted that report.

I moved on to calling the FBI. The after hours person had no idea what evidence collection procedures I should follow, nor if their office would even be interested in investigation. I was told to call back during business hours. I did a little searching and found the National Infrastructure Protection Center. I gave them a ring and was asked to fill out an incident report. I was told it would be reviewed in the NOC quickly and a decision made about further investigation. The rep answering the phone said to collect any and all information I could think of regarding the attack. I got a response later this morning that their NOC personnel had evaluated the report and decided not to investigate further.

I called the FBI back this morning, only to be told they generally didn't investigate these types of crimes for individuals, but usually only for companies that had lost at least a couple thousand dollars. To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?

With respect to getting some action on any future attacks - what should I do? Who should I call? I'm not a h/\x0r, and I have reasonable investigation skills, but aren't there professionals doing this to uphold the law? What's the point of all those federal laws anyway? Monitoring of third party communications, without the consent of either party; unauthorized access to Charter's systems - the list can go on a lot further depending on the activity happening at those proxying servers. Are these laws just tools to oppress unpopular computer criminals but just plain not enforced most of the time?

I found this situation and particular method of attack interesting... hopefully this was fun to read. If you have suggestions for what I should do in the future to handle attacks, I'd love to hear about it!"

Call tech support, but

[aridhol]

If you can't get the tech support to help, try escalating and turboing the problem. Eventually, you'll talk to someone at the ISP who can or will do something. If not, it's time to get a new provider.

It sucks that the law-enforcement agencies won't help private individuals; however, since it's a company that's being hacked, they should be able to put their resources on it.

RISKS

[kzinti]

I can't help you with getting the attention of law enforcement or the service provider, but when all is said and done, I bet Peter Neuman at the ACM RISKS Digest would love to publish your story. The RISKS readers would be interested in the original hijacking, and just as interested in the lackadaisical response by those who could do something about it. The risks posed by both problems are the forum's reason for being.

This is standard

[alienw]

This is a very standard type of attack and a standard FBI response. FBI damage trigger is $5,000 IIRC. If the ISP calls the FBI, they can get the ball rolling. You can't, and frankly it's none of your business since it's the ISP server that got hacked. I wouldn't do anything beyond calling the ISP. You can't claim financial losses, because you didn't lose any money directly as a result of this hack.

Re:Well, you have done some good here already.

[aridhol]

Of course, that only affects those who use passwords for SSH. I generally prefer RSA user authentication. One of the reasons is laziness - I only have to enter my key's password once, and it authenticates to SSH servers for me. And, of course, there's security. Because I don't enter my password over the wire, there's no way for it to be intercepted.

My experience with the feds

[JWSmythe]

Our biggest problem isn't breakins, it's posting web site passwords on the net.. Hey, it's still someone using an illegal means to access materials (yada, yada, yada).

We do our own defenses, but I always see the users or proxies attempting crap.. I tried calling a few providers, but they're completely dense when you say "someone on your network is attacking one of my servers." Somehow they manage to get the stupidest people handling their support desk, who can't even comprehend what a server is. If you do manage to get to an abuse department, they'll rarely do much.

A few years ago, I got tired of fucking with the help-desk people to complain to, so I called the FBI. They took my information, and had an agent call me back.. It took a couple weeks to get the return call, but I did. He was actually well informed, and seemed to know at least the basics of how the Internet worked. He also said that I'd have to prove a monetary loss. The mininum amount was $5,000, if I recall correctly. It isn't enough that someone can abuse the shit out of your system, you have to prove that you were loosing money in the process.. So I have to make the decision, do I set up the system poorly enough so we do loose sales/members over fairly simple attacks, or do I just forget trying to get anyone to help.

Recently, a friend of mine rewrote a site for selling calling cards on the net.. The company is an established real-world business, they just wanted to expand... So, she spent a few months putting together a kick-ass site, with all the bells and whistles that the owner asked for.. About a month after it went live, someone started hitting it with fraudlent transactions. Even with all her normal precautions (and a few of mine), and using a 3rd party billing company with their own precautions, they still got hammered for about $10,000 worth of fraud.. The FBI was willing to take a report on this one, but never investigated, and never did anything about it.. She (the programmer) had got the IP's of the users, found out who owned the blocks. We actually knew where they physically were and told the FBI. If they were interested, they'd only need to send one agent where we told them, and close the case. They didn't. It's still an open case with no leads. {sigh}

There were IP's in two different /24's doing the fraud.. They were coming back about once per day and doing the same scam. Each one was a Internet cafe thing, so fairly obviously it's someone sitting on a public machine trying not to get caught. But, they were both at least 1000 miles from where we were, so it was pretty useless for us to catch them. It would have just been so easy for the FBI to send one agent out. $10,000 fraud on one site is nothing. I'd be more than willing to bet that they were hammering a whole bunch of sites with those same transactions.

We called the cafe owners and told them what was happening. Their suggestion was to call the police, they weren't going to stop anything. {sigh}

Knowing how bad they are to stop things, I wonder if I'm doing the wrong thing, staying on the legitimate side of things. If we can literally say "They guy sitting in this cafe is running tens of thousands of dollars in fraudelent transactions per day, and stole from us" with proof, and they won't touch it, how much evidence do they really need against someone to do something?

Ya, we see the big "some hacker caught" stories occasionally, but honestly with all the crime going on (yes, there's lots), it's only rarely that you hear about someone getting caught.

The reason law enforcement won't investigate

[djbrums]

I worked as a security officer for many years, working with law enforcement on issues such as this. In reality, what you've run up against is a fundamental problem with computer law. Almost any offense they could charge the perpetrator with is a felony, thus the FBI should handle the case.

So what does it take to get the FBI to investigate? There are about 4 different things the bad guys could do:

• Cause $5000 worth of damages. What "damage" means is not standardized. Some district attorneys read the law as meaning $5000 worth of physical damage! In any case, most interprate this to mean $5000 in damages from the hack, but recovery time is not necessarily included. Thus, the question of whether your credit card was used.
• Breaking into a financial instituation.
• Cause a public health threat, such as by breaking into a hospital.
• Attacking the interests of the US, i.e. the gov't.

The problem is you don't fit into any of these categories for the FBI. Suppose you did come up with the required damages. Then the FBI have to choose whether to pursue your case or another. If someone else is causing more problems, they'll investigate them instead of your case. If you don't have any idea whose doing the hacking, then again they'll probably go after someone who they think is easier to catch. Last, they'll try to decide whether or not they think the case will lead to an easy conviction. If not, again your screwed.

Basically it's a matter of priorities, and this doesn't sound like a large enough hack to be more than the blip of a Cessena at an international airport full of 747's.

It sucks, but that's how it is. What would be good is if hacking resulted in a fine, or some other misdemener. Then convictions would be easy, and the bad guys would quickly learn crime doesn't pay in the small case, and the big cases result in the FBI actually going after them.

go after the next rung

[arget]

The government is worthless in this. They're reactionary, not preventative, and even then will only give you the time of day if there's hard money or data loss involved.

Charter was woefully unconcerned, and as their customer, I'd raise hell, escalating up their corporate food chain.

To get at the actual attacker, go the next rung, look at who owns/controls the IPs that you're being redirected to.

http://ws.arin.net/cgi-bin/whois.pl?queryinput=! %2 0NET-66-220-17-0-1

CustName: C2 Media Ltd
Address: P.O. Box 1113
City: Shalimar
StateProv: FL
PostalCode: 32579
Country: US

who are in turn a customer of Hurricane Electric

TechHandle: ZH17-ARIN
TechName: Hurricane Electric
TechPhone: +1-510-580-4100
TechEmail: hostmaster@he.net

OrgTechHandle: ZH17-ARIN
OrgTechName: Hurricane Electric
OrgTechPhone: +1-510-580-4100
OrgTechEmail: hostmaster@he.net

Go to Hurricane, and ask them why they're letting this go on. They'll be more concerned. You've indemnified Charter in your service agreement, most likely, and can't sue them. Hurricane has no such protection from you and will, ironically, be more responsive than your own ISP.

Come on!

[siskbc]

First, it's quite possible those guys were hijacked too, as it's hard to believe someone would be blase enough to point the proxy to their OWN server. So we may be adding injury to insult to injury here.

Second, hey guys, the site's still up. Get off your lazy asses. ;)

Re:If You're Not Corporate, You're Little People

[bourne]

I really don't know what to say, except what I put in the subject line.

You're overreaching a bit.

The end-user isn't an official representative of the victim. Obviously, law enforcement isn't going to deal with him. Firstly, for (the feds) to get involved, they need at least $5000 damage, which he couldn't speak to. They're not going to waste their time unless there is a willingness to prosecute, which - guess what - also requires an offical representative to commit to. Finally, if they do get involved, their next step is to ask for logs and other evidence - which, at best, the end-user only has symptoms of. Again, they need to deal with the duly authorized representative of the ISP to get anywhere.

From the sound of it, they actually went out of their way to try and help him reach the minimums to be considered a valid case himself. That's actually pretty amazing by itself.

Re:If You're Not Corporate, You're Little People

[InsaneGeek]

In general the reason being: it's not a federal issue until it hits >$5,000 in damages. Until then you are supposed to deal with your local organizations (there is a reason for your local government, you know. Does one go directly to the CEA to get more toiletpaper in the batchroom?).

In this case specifically a resonable analogy would be, a technically competent end-user in a corporate environment doesn't contact the FBI their IT dept does. The user here doesn't have control over the DHCP/DNS servers, doesn't manage them in anyway. What do you expect from a federal organization in this situation... 20 feds flown down to look at an end-users system that hadn't receive any monetary losses yet?

A more defined notification authority would be nice, but you can't expect every single end user to call the FBI. As an end-user contact you local officials you are paying taxes for them, if you are the owners of the compromised systems and you incurred financial loss then you can bump it up to a federal level (remember local/state organizations can sometimes even provide better service than the FBI, and then there are some that are stupid)

You called the FBI for help removing spyware...

[kalanar]

Here's how you remove it:

LOP Removal

Excerpt:

Lop masquerades as an mp3 search engine. It is capable of:

Hijacking your starting page
Adding the Lop Toolbar to Internet Explorer
Adding the Lop Toolbar to Windows Explorer
Causing frequent Windows Explorer & Internet Explorer crashes
Popup advertisements
Adding Lop links to your Bookmarks (Favorites)
Installing software on your PC without your consent
Tracking your site visits and reporting them back to Lop (for advertising purposes)

Now where's my check for the 5 minutes that it took to google for this? Your question of "Why doesn't these agencies handle these kinds of problems?" is ironically answered by your real issue. The FBI is not your local computer repair shop.

I would run a program like Ad-Aware to remove any other spyware that you have installed. And next time that you're "hAx0r3d" go to google and search for "hostnamethatisHax0ringme.com spyware"

Tech Support

[EtherBoo]

This may seem redundant, and it may seem a bit trollish, but seeing it from the TSR (Technical Support Representative) perspective, we really don't care. I mean, think of it like this, you do have a point, and whats happening should be taken care of, but the guy who answers the phone, is going to think you're just paranoid. If he talks to a supervisor, the supervisor is going to tell you that we are currently fine, and there are no hacks going on, unless of course we have been notified, in which case, we say something like, "Sorry for the inconvience, blah blah blah. We are working with our NOC to resolve the isssue, blah blah blah." As sorry as I am to say it, it's not worth it to use to care. We don't get paid enough, and as employees, we are just treated like garbage, at least at the place I work. Basically, the only thing you can do is send an email to Abuse, or just sit and wait, realizing that there isn't anything we can do. Tech support is really just for the end user that doesn't know any better. Anyone that knows anything is going to have a much harder time with support. Sorry.

Hope you didn't give them you're /. user id and pass.

Re:No you were running spyware!

[HeelToe]

Actually, it was not spyware.

I queried the dhcp server from a unix-alike box and got the same response back from it for the connection's dns domain as I did under windows. The DHCP server was handing it out for sure.

Re:No you were running spyware!

[plover]

I run Spybot S & D, from http://security.kolla.de. It does a pretty good job of cleaning up these infections. It got rid of Xupiter, which was my first personal infection by spyware (or any virus for that matter.) I then asked my kid to stop running Morpheus and switch to Gnucleus. (I've since asked him not to participate in any file sharing at all because of all the legal crap flying about.)

Of the bad ones, Lop (which you have) is far and away the most difficult to get rid of. It has many separate components, a Browser Helper Object, an executable launched at startup via an entry that's in your registry's HKLM/Software/Microsoft/Windows/CurrentVersion/Run key, (and possibly in RunOnce and/or RunServices, plus in the same path under each user as well), and others. I think it may even replace your WSOCK32.DLL but I don't remember if Lop is that one. If it is, it certainly would explain why your DNS went haywire. The deal with Lop is that all these components watch over each other. If you delete or disable one component, the others silently patch the hole next chance they get.

To answer your question, I've never heard of it affecting a firewall/router. (I kind of assume you're running a Linksys, but regardless of the make & model make sure you don't still have the default password on it.) If Lop patched your winsock layer, the Windows box would be completely unable to tell you the truth about DHCP or DNS.

It's not quite as bad as kudzu, but it's definitely not something you want.

Anyway, I've found Spybot S&D to be a most excellent tool with frequent and current updates. It's the first thing I run every time I visit friends or family and they want me to look at their computers. It's also free, (but donations are welcome.) I switched from the paid version of AdAware+ after they failed to release V 6.0 on time. I do wish that the anti-virus vendors would block some of this crap.

Other things I run to defend my Microsoft equipment from this stuff?

• I run BHOCop occasionally, which lets me manage "Browser Helper Objects". The only BHO I allow is Acrobat.
• I use StartupMonitor which watches all the startup registry keys, the "Startup" folders, the system services, and the Autoexec and Config files for changes and it pops up a confirmation message box before allowing any changes that would allow a new program to run on startup. If something wants to run at startup, I think I should know about it. It used to be freeware, but I think the magazine that sponsored it now wants $20.00 for it. I suppose I'll just have to get off my butt and write one (it's about a dozen Win32 API calls.) And while I'm at it, I think I'll have it watching for BHOs at the same time, and try to kill two birds with one stone. I don't like how it doesn't play nice with multiple users under XP anyway.
• I run Mozilla as my primary browser. None of the spyware fiends seem to have targetted it. And it doesn't run stupid objects. But, I still have IE as the default browser because on Windows, there are some things that just have to have IE.
• I run the Proxomitron as an ad-filtering proxy, so I added certain anti-spyware checks into it.
• My son likes running Zone Alarm to keep an eye on what's leaving his box, but I found it kind of annoying so I removed it from mine. It doesn't really prevent much, per se, but it does let you know you're infected.
• I tried creating directories for the default paths of Xupiter, Kontiki and others, and used CACLS to have NTFS remove all access. That was kind of a mistake, because even I couldn't get rid of them after that.
• Finally, I had entries in my hosts file for the sites of the known worst offenders (lop, xupiter, bonzi buddy, gator, kontiki) so that even if something slipped thru, I wouldn't be accidentally talking to them. But I ended up with over 1600 lines in my hosts file, though, and name resolution started taking way too