Getting Law Enforcement Action for a Large-Scale Hack?

HeelToe asks: "Two nights ago, I sat down to do a few chores with finance websites and check my mail. To check my mail, I use an ssh connection and read it via mutt. I had already hit Slashdot for my semi-hourly dose of content, but then noticed my ssh client complaining about a difference between its cached copy of the server key and the server key presented, so I started investigation. After figuring out what was going on, I contacted the tech support line for my service provider (Charter Communications) to no avail, as well as the FBI and NIPC, again, both to no avail. There are all these laws and all this hype about enforcing these computer crime laws - what must an end user do to get some enforcement done? Read on for more, much more..." Update: 06/21 19:13 GMT by C :As it turns out, the issue wasn't a hack at Charter but a particularly nasty form of Spyware. Stll, the question is valid, and some of the suggestions already given, have been real informative. Keep 'em coming!

"So I determined that I was connecting to xxx.p5115.tdko.com instead of xxx. I started looking at dns settings. Of course, under Windows, the default is to accept the default dns domain specified by a DHCP server for the PC's ethernet connection. There are settings to disable this, but I hadn't thought about it until now. It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47).

On these IPs were some phantom services. There were proxying web servers (presumably collecting cookies and username/password combos), as well as an ssh server where the perpetrators were most likely hoping people would simply say 'yes' to the key differences and enter in their username/password.

Has anyone else seen this type of attack before? Pretty sneaky. I bet it would slip by most people that don't use anything but a web browser. This makes me want to step up my plans to put an OpenBSD firewall in place and allow it as little trust of the outside world as possible, providing more trusted DNS/DHCP services to the hosts on my network. It would be nicer to be able to boot the thing self-contained-and-configured off read-only media and have no writable access to anything from the operating system to totally prevent break-in/tampering.

With respect to the law enforcement issues. I first called Charter, and after 10 minutes on hold was told to submit a report to their abuse account. I asked the tech support rep if they really wanted me submitting the incident report through a hijacked proxying web server. I hadn't yet reconfigured my Windows systems because I wanted to collect as much information as possible while the attack was still live. The long and short from the tech support rep was they'd look at it, but couldn't do anything with respect to responding to me about it unless I submitted that report.

I moved on to calling the FBI. The after hours person had no idea what evidence collection procedures I should follow, nor if their office would even be interested in investigation. I was told to call back during business hours. I did a little searching and found the National Infrastructure Protection Center. I gave them a ring and was asked to fill out an incident report. I was told it would be reviewed in the NOC quickly and a decision made about further investigation. The rep answering the phone said to collect any and all information I could think of regarding the attack. I got a response later this morning that their NOC personnel had evaluated the report and decided not to investigate further.

I called the FBI back this morning, only to be told they generally didn't investigate these types of crimes for individuals, but usually only for companies that had lost at least a couple thousand dollars. To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?

With respect to getting some action on any future attacks - what should I do? Who should I call? I'm not a h/\x0r, and I have reasonable investigation skills, but aren't there professionals doing this to uphold the law? What's the point of all those federal laws anyway? Monitoring of third party communications, without the consent of either party; unauthorized access to Charter's systems - the list can go on a lot further depending on the activity happening at those proxying servers. Are these laws just tools to oppress unpopular computer criminals but just plain not enforced most of the time?

I found this situation and particular method of attack interesting... hopefully this was fun to read. If you have suggestions for what I should do in the future to handle attacks, I'd love to hear about it!"

Call tech support, but

[aridhol]

If you can't get the tech support to help, try escalating and turboing the problem. Eventually, you'll talk to someone at the ISP who can or will do something. If not, it's time to get a new provider.

It sucks that the law-enforcement agencies won't help private individuals; however, since it's a company that's being hacked, they should be able to put their resources on it.

RISKS

[kzinti]

I can't help you with getting the attention of law enforcement or the service provider, but when all is said and done, I bet Peter Neuman at the ACM RISKS Digest would love to publish your story. The RISKS readers would be interested in the original hijacking, and just as interested in the lackadaisical response by those who could do something about it. The risks posed by both problems are the forum's reason for being.

Re:Well, you have done some good here already.

[aridhol]

Of course, that only affects those who use passwords for SSH. I generally prefer RSA user authentication. One of the reasons is laziness - I only have to enter my key's password once, and it authenticates to SSH servers for me. And, of course, there's security. Because I don't enter my password over the wire, there's no way for it to be intercepted.

The reason law enforcement won't investigate

[djbrums]

I worked as a security officer for many years, working with law enforcement on issues such as this. In reality, what you've run up against is a fundamental problem with computer law. Almost any offense they could charge the perpetrator with is a felony, thus the FBI should handle the case.

So what does it take to get the FBI to investigate? There are about 4 different things the bad guys could do:

• Cause $5000 worth of damages. What "damage" means is not standardized. Some district attorneys read the law as meaning $5000 worth of physical damage! In any case, most interprate this to mean $5000 in damages from the hack, but recovery time is not necessarily included. Thus, the question of whether your credit card was used.
• Breaking into a financial instituation.
• Cause a public health threat, such as by breaking into a hospital.
• Attacking the interests of the US, i.e. the gov't.

The problem is you don't fit into any of these categories for the FBI. Suppose you did come up with the required damages. Then the FBI have to choose whether to pursue your case or another. If someone else is causing more problems, they'll investigate them instead of your case. If you don't have any idea whose doing the hacking, then again they'll probably go after someone who they think is easier to catch. Last, they'll try to decide whether or not they think the case will lead to an easy conviction. If not, again your screwed.

Basically it's a matter of priorities, and this doesn't sound like a large enough hack to be more than the blip of a Cessena at an international airport full of 747's.

It sucks, but that's how it is. What would be good is if hacking resulted in a fine, or some other misdemener. Then convictions would be easy, and the bad guys would quickly learn crime doesn't pay in the small case, and the big cases result in the FBI actually going after them.

go after the next rung

[arget]

The government is worthless in this. They're reactionary, not preventative, and even then will only give you the time of day if there's hard money or data loss involved.

Charter was woefully unconcerned, and as their customer, I'd raise hell, escalating up their corporate food chain.

To get at the actual attacker, go the next rung, look at who owns/controls the IPs that you're being redirected to.

http://ws.arin.net/cgi-bin/whois.pl?queryinput=! %2 0NET-66-220-17-0-1

CustName: C2 Media Ltd
Address: P.O. Box 1113
City: Shalimar
StateProv: FL
PostalCode: 32579
Country: US

who are in turn a customer of Hurricane Electric

TechHandle: ZH17-ARIN
TechName: Hurricane Electric
TechPhone: +1-510-580-4100
TechEmail: hostmaster@he.net

OrgTechHandle: ZH17-ARIN
OrgTechName: Hurricane Electric
OrgTechPhone: +1-510-580-4100
OrgTechEmail: hostmaster@he.net

Go to Hurricane, and ask them why they're letting this go on. They'll be more concerned. You've indemnified Charter in your service agreement, most likely, and can't sue them. Hurricane has no such protection from you and will, ironically, be more responsive than your own ISP.

Re:No you were running spyware!

[HeelToe]

Actually, it was not spyware.

I queried the dhcp server from a unix-alike box and got the same response back from it for the connection's dns domain as I did under windows. The DHCP server was handing it out for sure.

Re:No you were running spyware!

[plover]

I run Spybot S & D, from http://security.kolla.de. It does a pretty good job of cleaning up these infections. It got rid of Xupiter, which was my first personal infection by spyware (or any virus for that matter.) I then asked my kid to stop running Morpheus and switch to Gnucleus. (I've since asked him not to participate in any file sharing at all because of all the legal crap flying about.)

Of the bad ones, Lop (which you have) is far and away the most difficult to get rid of. It has many separate components, a Browser Helper Object, an executable launched at startup via an entry that's in your registry's HKLM/Software/Microsoft/Windows/CurrentVersion/Run key, (and possibly in RunOnce and/or RunServices, plus in the same path under each user as well), and others. I think it may even replace your WSOCK32.DLL but I don't remember if Lop is that one. If it is, it certainly would explain why your DNS went haywire. The deal with Lop is that all these components watch over each other. If you delete or disable one component, the others silently patch the hole next chance they get.

To answer your question, I've never heard of it affecting a firewall/router. (I kind of assume you're running a Linksys, but regardless of the make & model make sure you don't still have the default password on it.) If Lop patched your winsock layer, the Windows box would be completely unable to tell you the truth about DHCP or DNS.

It's not quite as bad as kudzu, but it's definitely not something you want.

Anyway, I've found Spybot S&D to be a most excellent tool with frequent and current updates. It's the first thing I run every time I visit friends or family and they want me to look at their computers. It's also free, (but donations are welcome.) I switched from the paid version of AdAware+ after they failed to release V 6.0 on time. I do wish that the anti-virus vendors would block some of this crap.

Other things I run to defend my Microsoft equipment from this stuff?

• I run BHOCop occasionally, which lets me manage "Browser Helper Objects". The only BHO I allow is Acrobat.
• I use StartupMonitor which watches all the startup registry keys, the "Startup" folders, the system services, and the Autoexec and Config files for changes and it pops up a confirmation message box before allowing any changes that would allow a new program to run on startup. If something wants to run at startup, I think I should know about it. It used to be freeware, but I think the magazine that sponsored it now wants $20.00 for it. I suppose I'll just have to get off my butt and write one (it's about a dozen Win32 API calls.) And while I'm at it, I think I'll have it watching for BHOs at the same time, and try to kill two birds with one stone. I don't like how it doesn't play nice with multiple users under XP anyway.
• I run Mozilla as my primary browser. None of the spyware fiends seem to have targetted it. And it doesn't run stupid objects. But, I still have IE as the default browser because on Windows, there are some things that just have to have IE.
• I run the Proxomitron as an ad-filtering proxy, so I added certain anti-spyware checks into it.
• My son likes running Zone Alarm to keep an eye on what's leaving his box, but I found it kind of annoying so I removed it from mine. It doesn't really prevent much, per se, but it does let you know you're infected.
• I tried creating directories for the default paths of Xupiter, Kontiki and others, and used CACLS to have NTFS remove all access. That was kind of a mistake, because even I couldn't get rid of them after that.
• Finally, I had entries in my hosts file for the sites of the known worst offenders (lop, xupiter, bonzi buddy, gator, kontiki) so that even if something slipped thru, I wouldn't be accidentally talking to them. But I ended up with over 1600 lines in my hosts file, though, and name resolution started taking way too