Slashdot Mirror
Getting Law Enforcement Action for a Large-Scale Hack?
"So I determined that I was connecting to xxx.p5115.tdko.com instead of xxx. I started looking at dns settings. Of course, under Windows, the default is to accept the default dns domain specified by a DHCP server for the PC's ethernet connection. There are settings to disable this, but I hadn't thought about it until now. It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47).
On these IPs were some phantom services. There were proxying web servers (presumably collecting cookies and username/password combos), as well as an ssh server where the perpetrators were most likely hoping people would simply say 'yes' to the key differences and enter in their username/password.
Has anyone else seen this type of attack before? Pretty sneaky. I bet it would slip by most people that don't use anything but a web browser. This makes me want to step up my plans to put an OpenBSD firewall in place and allow it as little trust of the outside world as possible, providing more trusted DNS/DHCP services to the hosts on my network. It would be nicer to be able to boot the thing self-contained-and-configured off read-only media and have no writable access to anything from the operating system to totally prevent break-in/tampering.
With respect to the law enforcement issues. I first called Charter, and after 10 minutes on hold was told to submit a report to their abuse account. I asked the tech support rep if they really wanted me submitting the incident report through a hijacked proxying web server. I hadn't yet reconfigured my Windows systems because I wanted to collect as much information as possible while the attack was still live. The long and short from the tech support rep was they'd look at it, but couldn't do anything with respect to responding to me about it unless I submitted that report.
I moved on to calling the FBI. The after hours person had no idea what evidence collection procedures I should follow, nor if their office would even be interested in investigation. I was told to call back during business hours. I did a little searching and found the National Infrastructure Protection Center. I gave them a ring and was asked to fill out an incident report. I was told it would be reviewed in the NOC quickly and a decision made about further investigation. The rep answering the phone said to collect any and all information I could think of regarding the attack. I got a response later this morning that their NOC personnel had evaluated the report and decided not to investigate further.
I called the FBI back this morning, only to be told they generally didn't investigate these types of crimes for individuals, but usually only for companies that had lost at least a couple thousand dollars. To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?
With respect to getting some action on any future attacks - what should I do? Who should I call? I'm not a h/\x0r, and I have reasonable investigation skills, but aren't there professionals doing this to uphold the law? What's the point of all those federal laws anyway? Monitoring of third party communications, without the consent of either party; unauthorized access to Charter's systems - the list can go on a lot further depending on the activity happening at those proxying servers. Are these laws just tools to oppress unpopular computer criminals but just plain not enforced most of the time?
I found this situation and particular method of attack interesting... hopefully this was fun to read. If you have suggestions for what I should do in the future to handle attacks, I'd love to hear about it!"
It has been my experience that unless there is some large monetary losses involved, then you're going to have a hard time getting law enforcement to do much of anything. Generally, for simple break-ins, they expect you to handle it yourself (typically contacting the ISP of the hacker).
When all else fails, run.
I really don't know what to say, except what I put in the subject line. The subject was lifted from the famous line in Blade Runner, "If you're not cop, you're little people." These days, money incurrs rights and protection granted by the government. Odd how things have turned out, eh?
"Only in their dreams can men truly be free 'twas always thus, and always thus will be."
--Tom Schulman
To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?
So many reasons, it's hard to count! But here's a couple for starters:
1) Your Mitnick example was how evidence was used in court to determine guilt and sentencing. That is a different animal than investigatory guidelines as to which cases should be pursued.
2) The Mitnick thing was years ago, and activity is so much higher now that they might have set the bar higher in terms of what cases to pursue.
Stop by my site where I write about ERP systems & more
Every admin who has been reflexively typing 'yes' to the
The RSA host key for yoursite.com has changed, use new key?
prompt is now shuddering to think how many passwords s/he might have handed the "Man in the Middle."
Good Job.
The computer police too. I've been mugged, robbed, and assulted multiple times in my life, and the police were never interested in helping. My car was just broken into, and I had $4000 in computer equipment stolen out of it. I called to file a report and have them come down and dust for prints, and they said that they can't send anyone down.
Of course, I've been stopped and harrassed by cops on a number of occasions. My brother gave me a small cut in a fight that required stitches, and they investigated my parents for child abuse. I've been accused of possessing marijuana for having a tomato stem in the cup holder of my car. I have to drive through a police checkpoint every day on the way back from work on highway 15 in San Diego. After I hit a spare tire that flew off the back of a car in front of me, the police officer wanted to write me a ticket because he was upset that he had to drive out a take a report.
I'm a law abiding citizen without a mark on my record, and I can still say: fuck the police
LS
There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
They are there to protect businesses and the government itself.
This is a disturbing trend in the United States of Lawyers and short of a revolution there is not much that can be done to reverse it. Just look at the article from yesterday where Oral Hatch wants to exclude copyright owners from anti-hacking laws so they can destroy a personal computer. It's sad and scary.
What the USL needs is a new Bill of Rights that protects people from corporations.
.... what is funny here is how the Fed spends soooo much energy collecting powers over the internet that it has no idea how to use.
I think sometimes that the internet might be too big for them in it's present form. Better to break it and build something new! Something where Disney can get a signoff.
As much pomp and posturing as some of these organizations do, in my experience, the FBI guy you talked to was right: unless its a big company that has the cash to sue the government for not enforcing the laws, or at least raise a stink about it, these organizations will do nothing.
The reason for this, as I see it, is that most of the legal side of this stuff is handled at a federal level. So if only say, 100 people or so are affected, they're simply not going to waste their time on it. The only solution I could see to this problem is that, once the general populace becomes better educated to whats out there and what all this "fancy internet stuff" means, there is the possibility that smaller, more municipal "cyber crime" organizations may spring up, to deal with complaints coming from people in their municipality. Until then, its a jungle out there, and its every man for himself.
Mod Points: Helping you keep your opinion to yourself.
I say this only partially in jest, but maybe try contacting the dept of homeland defense, or GWB himself or something. Call it terrorism, they'll be shut down faster than you can say "foo".
Seriously though, with the increase in the gov't involvment and crackdown on cyber terrorism (or they say there is) isn't this a prime candidate?
That said, it's scary that the ISP doesn't seem to give a fark about this. If I was in charge of their security I'd be fixing this as quickly as possible, not letting my company's customers continue to use a compromised service. Wouldn't it be considered negligence to allow your customers to continue using a server you know to be compromised (ie: not changing the DHCP server back, or simply shutting down all access)? Personally I'd much rather loose my net access for a bit while this is cleaned up than my ISP knowingly let me proxy through sniffers and password grabbers.....
It sucks that the law-enforcement agencies won't help private individuals; however, since it's a company that's being hacked, they should be able to put their resources on it.
The problem here seems to be this: the company has been hacked and it's the customer researching the problem and trying to get help. The FBI isn't particularly interested in hearing some guy talk about a compromise of someone else's server -- hopefully Charter is dealing with them and the agents shouldn't be keeping you informed of the status of an investigation to which you're basically a bystander.
Sorry, HeelToe, you're being a good guy and did the best you could. Now, it's between you and the ISP.
What I'm listening to now on Pandora...
*They* will certainly care about a hijacked proxy achiving account numbers and sniffing passwords. Now, when they call your ISP - I bet they would take immediate notice.
-- your Web browser is Ronald Reagan
Have you tried running Spybot or Adaware lately? If you try going to p5115.tdko.com, you'll find it's a website for lop.com. Which, incidentally, is an infamous purveyer of spyware:
http://www.spywareinfo.com/articles/lop/
"People that quote themselves in their signatures bother me" - athakur999
You can't. But fortunately, exactly that (and more) is what server keys and challenge auth is for. So never, never! ignore when your client for a secured connection complains about non-matching keys.
I'm truly amazed that Charter and the FBI blew you off like this.
You've already tried going through channels so the next step is embarrassing them into doing something about it - notifying news media outlets and posting to slashdot are probably all you can do though. If Charter has any specific usenet groups like @Home used to have, I'd post this info there as well.
Best thing would be to get this on TV as then they can't ignore it. Charter is based in St. Louis and I'm sure one of the consumer affairs reporters at one of the TV stations in town would be interested in finding out that the major ISP in town is letting their users' passwords and other info get leeched.
Don't be amazed.
It's just the way they work; unless its internally generated, whether a charter, the FBI, or any other investigatory agency, they just don't want to see it; they have already got a job, things to do, and they don't want you adding to the load.
If you REALLY PUSH, they will usually put you in contact with someone who at least has a clue what you are talking about, but the first thing THEY will do, if you are a private individual, is see if you are the criminal; you are guilty until proven innocent, if you actually get them to take you seriously.
They also will have no interest whatsoever in any evidence you have gathered; they know that it won't be investigated for most likely months, so there is really no point to it.
If you encounter any behavior other than this, you should really keep it to yourself; otherwise the competent individual you encountered will most likely get fired.
I know of what I speak; I ran into some blatantly immoral(important) non-legal(not so important) activity in the past and determined to get it taken care of no matter what the cost in time or effort.
and the costs were very high.
Why, yes, I AM a Pagan Libertarian.
Unfotunately, nobody cares when it comes to the consumer. About a year ago a new vulnerability in AuthorizeNet's billing gateway was discovered that would allow someone to submit authorize-only transactions knowing nothing but your AuthorizeNet username, which was often found embedded within the various forms of an online store. One of my e-commerce clients fell victim to this, and had over 600 $0.01 authorize-only transactions submitted in under an hour. Basically what this meant was that someone was using my client's account to verify stolen credit card numbers.
Going through my logs, I was able to get the IP addresses these submissions came from, the e-mail addresses the results were sent to (not sure why they bothered with that), and all information on every single card submitted. This included the card number, expiration date, and the cardholder's name and address. I contacted AuthorizeNet but they said it wasn't their problem. I called Visa and Mastercard but they just asked for a printout to be faxed to them (600 item spreadsheet 5 pages wide). I contacted the FBI and was referred to the NSA. I contacted the NSA and they said call back Monday since at this point it was about 6pm Friday evening.
I was appalled to find out that some identifiable hacker with an arsonal of valid cards was about to be given an entire weekend to sell or use them before anyone would even consider looking into it. I couldn't even get the credit card companies to accept the spreadsheet of THEIR customers so they could at least warn them all that their cards had been compromized.
I finally just gave up and destroyed any evidence of this fraudulent activity having ever taken place. With my luck, not only would the hacker get away, but I'd be the one in hot water for posessing that spreadsheet. It just goes to show you that nobody cares about the consumer.
I'm sure one of the consumer affairs reporters at one of the TV stations in town would be interested in finding out that the major ISP in town is letting their users' passwords and other info get leeched.
They probably wouldn't touch the story. DNS is too technical, heck I'd have to explain this story to some of the support people I've worked with and then a few of them still wouldn't get it. Joe six pack doesn't have a chance, especially since they'd have to achive understanding in the few minutes the medium allows.
But he isn't a bystander. The attacker is attempting to steal his passwords (and credit card numbers for those who don't notice and sending it unencrypted). I would consider myself under attack in such a situation.
That said I am not surprised by Charter's response. I had @Home for almost two years with out technical issue (one double billing, which they resolved quickly), until they went under and I was switched to Charter's service. I spent over 40 hours on tech support with them trying to get them to finally find the missing entry in their database that was causing my service to be interrupted (I was down for 18 days). From my experience, I doubt one could find a more incompetent ISP.
This message is encrypted with Quad ROT-13 to protect the author's copyright under the DMCA.
Google, while not having a wealth of info on tdko.com, did have some useful bits: groups
I'd heard the name tdko before, I was pretty sure, in the context of a Bonza or Gator or something. They'll change your default search page in IE, etc, this sounds like just another dirty trick. I doubt they compromised the DHCP servers themselves, my guess is that some pop-up or spyware app changed your settings locally. If you did try it from multiple systems, well, they're several of YOUR systems, you may have visited to same site or installed the same spyware on each. I think eDonkey F'd with my default search page IIRC.
I like music
Simplify it without lying. Say that one of the ISP's servers has been cracked, and that this is allowing user passwords and information to be leaked. Give technical details at the end of the story, but keep the front part clear and simple.
I can't say that I don't give a fuck. I've just run out of fuck to give.
You start with a call to the highest rated local TV station and ask to speak to the "assignment desk or assignment editor" (this is the person who sends out reporters to stories). Explain to this person that a local ISP has been hacked and that customer data, including passwords and financial data, is at risk and the ISP doesn't appear to care. Repeat until you find a TV station who takes the bait. Then take one or both of the courses of action below.
ONE: Call the ISP and ask to speak to the CEO. Tell them that their servers have been hacked, that their tech support was not interested in the potential for theft/abuse of customers personal data, and that you have reported it to the local media and will be running a demo of what is going on for the reporters. Ask them to be sure to have someone on hand for a phone interview with the TV reporters so they can explain why the hacking happened and what they have done to fix the situation. Get the name and number of the person the TV reporter should call.
TWO: Call the ISP and ask to speak to their legal staff. (repeat story you tell to CEO) Ask them who is the right person for the ISP customers to send damage claims to, and also ask them to have someone on hand for the reporters to interview to explain what laws have been violated and how the ISP intends to get the laws enforced.
Send it to charter. List at the end the OTHER people to ewhom you are sending it, and you'll need to send them all snail mail, with the two (yes, two- one to the folks you spoke to, one addressed to the CEO, which will be read by a secretary and passed on to someone whose job it is to keep these things quiet) to Charter certified mail, return receipt requested. Those others will go to:
Your US congressional reps- both houses, whether you voted for them or not; (i'm assuming you're in the US, if not go for the nearest equivalent of these)
The Better Business Bureau;
the state attorney general's office
the FBI office that you contacted;
The FCC;
Anyone and Everyone whom you think might be interested, NOT counting the media. Why not? Because you want to be able to prove that you gave them a chance to correct the problem before you take it further. You are certainly allowed to suggest that it might be possible, but mention first that you need a written response from them telling what they plan to do about this (tell them what you want this to be), and mention that you will seek the assistance of a lawyer if this clear threat to you as their customer is not immediately remedied.
Keep a copy of the letter. Offer to send supporting evidence AS SOON AS they have officially begun their remedial actions and you have received initial results. (or you may wish to send it sooner, at least the info that you feel comfortable having random secretaries seeing.)
IANAL, but I have good reason to recommend this method. Incidentally, it works for a LOT of customer issues, and you have to be sure to send out copies of follow-up letters to the same set of people. Make sure to document hours spent working on it, and all the people whom you've spoken with and when. Media is for after their failure to remedy the matter after 1 letter, just add it to the CC list. You might try writing the second letters as two- one to the company, one to the attorney general or congressional folks, and the other to the company, and include copies of both in the envelope to the company. Their failure to help is against entirely different laws. Use the words "acted in bad faith."
be persistent. It helps.
"I'd say 'Have a good time,' but arson is still illegal.
The problem with "working up the ladder" is that you're dealing with folks who are just cogs in the machine. Either they're hemmed in by procedures, or they afraid to stick they necks out. Probably both.
Of course, it's still likely that whoever you get in contact with will just blow you off. That's especially true if the company has legal exposure. (As an ISP in this situation certainly would!) But at least you'll know that people with actual decision-making powers are aware of the problem.
My husband is white. Obviously white. However, he shaves his head, and has a goatee. For a time, we also drove around in a 1979 Olds Cutlass, one of the cars Latino gangs favor.
For the time we owned the Cutlass, my husband got pulled over on a regular basis.
The M.O. was the same. Richie gets pulled over. He is instructed to put his hands on his head. The cops eyeball the car, then finally check him out. The blue eyes are a dead giveaway that the person they pulled over does not "fit the profile."
The cops then go into a very embarrassed hemming and hawing dance. "Terribly sorry, sir, continue on your way, have a good one."
I dread to think what would have happened had Richie actually been Latino. We now drive around in a beige Chevy Nova '86 (basically a Toyota Corolla) and he hasn't been pulled over since.
Lousy fuckin LAPD...
Knowledge is power. Knowledge shared is power multiplied.
Not a bit of your post addresses the original issues: ineffective law enforcement. The OP never said that there should not be police, IIRC: rather, he gave instances where they didn't serve a useful function, either by commission or omission.
Certainly, law enforcement is by its nature an unpleasant profession. Certainly, there is a need for law enforcement. The original poster, methinks, would agree. If the cops stopped wasting their time on foolishness (e.g. drug, alcohol, weapons and traffic enforcement) and instead focused on real problems (e.g. rape, murder, theft and fraud), I don't believe people would particularly hate them. It's when the police are the willing enforcer-thugs of an authoritarian state that we lose our respect for them--and quite rightly so.
As for your suggestion to volunteer: I refuse to supply my labour in order to free up time for a cop to issue a single other drug or speeding citation. I refuse to supply my labour in order to free up time for a liquor-law sting operation. I refuse to subsidise injustice.
The FBI is going to ignore anything unless you allege that you lost $5,000. In the real world, unless you see some fraud on your credit card after theives stole your number off your computer, they probably aren't going to care. Also, if someone uses your computer to attack and damage other computers (or even deface) that might get their attention. Here's the main collection of federal laws that apply to computer crime.
http://www.cybercrime.gov/cclaws.html
And here's the primary criminal law that applies:
18 USC 1030. Fraud and related activity in connection with computers
(a) Whoever--
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y.[(y)] of section 11 of the Atomic Energy Act of 1954 [42 USCS Â 2014(y)], with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains--
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer if the conduct involved an interstate or foreign communication;
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $ 5,000 in any 1-year period;
(5) (A) (i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and
(B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused)--
(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $ 5,000 in value;
The law isn't to protect you and me, it's to protect the people who pay the lawmakers....corporations. I gaurantee you if someone hacked into your PC, stole your credit card, and charged $1,000 to it the FBI wouldn't do sh!t. Factor in as much money as you want for your time in tracking it down. They wouldn't care, because you are not onpayroll at a corporation, so the damage is minimal. Money talks, same as always, and corporations have more of it than an individual. Now if you were a multi-millionaire and actively donated to political funds. I bet it would be different.
"The saddest words of mice and men, are not those which were, but should have been."
While you may think im joking i am serious.
None of this stuff is to protect the citizens. unless you are a large corporation or an elected official you are out of luck.
Im surprised they even talked to you at all personally. Even small companies have a hard time getting any help, they are too 'trivial' to bother with.
Not saying i agree, its just reality.. they DONT CARE about 'us'.
---- Booth was a patriot ----
It means what we already knew: That you as a single person are of no value to your government. This is the real world in which corporations can get tax breaks, get away with multi million dollar fraud, sic the feds onto you for sharing an mp3, sue you for your life's savings and the world in which you are powerless. It's exagerated but this is why communism was so popular in the early 20th century. The commies promised to put the rich fuckers up against the wall and shoot them. (They did this of course, but thereafter they were the one's treating you like shit)
...and perhaps you should check your hosts file in c:\windows\system32\drivers\etc as well ;)
The next time you think big business and globalisation is fine and that those pesky anti-war demonstrators should get locked away, think of this again.