Slashdot Mirror
Getting Law Enforcement Action for a Large-Scale Hack?
"So I determined that I was connecting to xxx.p5115.tdko.com instead of xxx. I started looking at dns settings. Of course, under Windows, the default is to accept the default dns domain specified by a DHCP server for the PC's ethernet connection. There are settings to disable this, but I hadn't thought about it until now. It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47).
On these IPs were some phantom services. There were proxying web servers (presumably collecting cookies and username/password combos), as well as an ssh server where the perpetrators were most likely hoping people would simply say 'yes' to the key differences and enter in their username/password.
Has anyone else seen this type of attack before? Pretty sneaky. I bet it would slip by most people that don't use anything but a web browser. This makes me want to step up my plans to put an OpenBSD firewall in place and allow it as little trust of the outside world as possible, providing more trusted DNS/DHCP services to the hosts on my network. It would be nicer to be able to boot the thing self-contained-and-configured off read-only media and have no writable access to anything from the operating system to totally prevent break-in/tampering.
With respect to the law enforcement issues. I first called Charter, and after 10 minutes on hold was told to submit a report to their abuse account. I asked the tech support rep if they really wanted me submitting the incident report through a hijacked proxying web server. I hadn't yet reconfigured my Windows systems because I wanted to collect as much information as possible while the attack was still live. The long and short from the tech support rep was they'd look at it, but couldn't do anything with respect to responding to me about it unless I submitted that report.
I moved on to calling the FBI. The after hours person had no idea what evidence collection procedures I should follow, nor if their office would even be interested in investigation. I was told to call back during business hours. I did a little searching and found the National Infrastructure Protection Center. I gave them a ring and was asked to fill out an incident report. I was told it would be reviewed in the NOC quickly and a decision made about further investigation. The rep answering the phone said to collect any and all information I could think of regarding the attack. I got a response later this morning that their NOC personnel had evaluated the report and decided not to investigate further.
I called the FBI back this morning, only to be told they generally didn't investigate these types of crimes for individuals, but usually only for companies that had lost at least a couple thousand dollars. To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?
With respect to getting some action on any future attacks - what should I do? Who should I call? I'm not a h/\x0r, and I have reasonable investigation skills, but aren't there professionals doing this to uphold the law? What's the point of all those federal laws anyway? Monitoring of third party communications, without the consent of either party; unauthorized access to Charter's systems - the list can go on a lot further depending on the activity happening at those proxying servers. Are these laws just tools to oppress unpopular computer criminals but just plain not enforced most of the time?
I found this situation and particular method of attack interesting... hopefully this was fun to read. If you have suggestions for what I should do in the future to handle attacks, I'd love to hear about it!"
It has been my experience that unless there is some large monetary losses involved, then you're going to have a hard time getting law enforcement to do much of anything. Generally, for simple break-ins, they expect you to handle it yourself (typically contacting the ISP of the hacker).
When all else fails, run.
To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?
So many reasons, it's hard to count! But here's a couple for starters:
1) Your Mitnick example was how evidence was used in court to determine guilt and sentencing. That is a different animal than investigatory guidelines as to which cases should be pursued.
2) The Mitnick thing was years ago, and activity is so much higher now that they might have set the bar higher in terms of what cases to pursue.
Stop by my site where I write about ERP systems & more
Every admin who has been reflexively typing 'yes' to the
The RSA host key for yoursite.com has changed, use new key?
prompt is now shuddering to think how many passwords s/he might have handed the "Man in the Middle."
Good Job.
The computer police too. I've been mugged, robbed, and assulted multiple times in my life, and the police were never interested in helping. My car was just broken into, and I had $4000 in computer equipment stolen out of it. I called to file a report and have them come down and dust for prints, and they said that they can't send anyone down.
Of course, I've been stopped and harrassed by cops on a number of occasions. My brother gave me a small cut in a fight that required stitches, and they investigated my parents for child abuse. I've been accused of possessing marijuana for having a tomato stem in the cup holder of my car. I have to drive through a police checkpoint every day on the way back from work on highway 15 in San Diego. After I hit a spare tire that flew off the back of a car in front of me, the police officer wanted to write me a ticket because he was upset that he had to drive out a take a report.
I'm a law abiding citizen without a mark on my record, and I can still say: fuck the police
LS
There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
They are there to protect businesses and the government itself.
This is a disturbing trend in the United States of Lawyers and short of a revolution there is not much that can be done to reverse it. Just look at the article from yesterday where Oral Hatch wants to exclude copyright owners from anti-hacking laws so they can destroy a personal computer. It's sad and scary.
What the USL needs is a new Bill of Rights that protects people from corporations.
.... what is funny here is how the Fed spends soooo much energy collecting powers over the internet that it has no idea how to use.
I think sometimes that the internet might be too big for them in it's present form. Better to break it and build something new! Something where Disney can get a signoff.
As much pomp and posturing as some of these organizations do, in my experience, the FBI guy you talked to was right: unless its a big company that has the cash to sue the government for not enforcing the laws, or at least raise a stink about it, these organizations will do nothing.
The reason for this, as I see it, is that most of the legal side of this stuff is handled at a federal level. So if only say, 100 people or so are affected, they're simply not going to waste their time on it. The only solution I could see to this problem is that, once the general populace becomes better educated to whats out there and what all this "fancy internet stuff" means, there is the possibility that smaller, more municipal "cyber crime" organizations may spring up, to deal with complaints coming from people in their municipality. Until then, its a jungle out there, and its every man for himself.
Mod Points: Helping you keep your opinion to yourself.
I say this only partially in jest, but maybe try contacting the dept of homeland defense, or GWB himself or something. Call it terrorism, they'll be shut down faster than you can say "foo".
Seriously though, with the increase in the gov't involvment and crackdown on cyber terrorism (or they say there is) isn't this a prime candidate?
That said, it's scary that the ISP doesn't seem to give a fark about this. If I was in charge of their security I'd be fixing this as quickly as possible, not letting my company's customers continue to use a compromised service. Wouldn't it be considered negligence to allow your customers to continue using a server you know to be compromised (ie: not changing the DHCP server back, or simply shutting down all access)? Personally I'd much rather loose my net access for a bit while this is cleaned up than my ISP knowingly let me proxy through sniffers and password grabbers.....
It sucks that the law-enforcement agencies won't help private individuals; however, since it's a company that's being hacked, they should be able to put their resources on it.
The problem here seems to be this: the company has been hacked and it's the customer researching the problem and trying to get help. The FBI isn't particularly interested in hearing some guy talk about a compromise of someone else's server -- hopefully Charter is dealing with them and the agents shouldn't be keeping you informed of the status of an investigation to which you're basically a bystander.
Sorry, HeelToe, you're being a good guy and did the best you could. Now, it's between you and the ISP.
What I'm listening to now on Pandora...
*They* will certainly care about a hijacked proxy achiving account numbers and sniffing passwords. Now, when they call your ISP - I bet they would take immediate notice.
-- your Web browser is Ronald Reagan
Have you tried running Spybot or Adaware lately? If you try going to p5115.tdko.com, you'll find it's a website for lop.com. Which, incidentally, is an infamous purveyer of spyware:
http://www.spywareinfo.com/articles/lop/
"People that quote themselves in their signatures bother me" - athakur999
You can't. But fortunately, exactly that (and more) is what server keys and challenge auth is for. So never, never! ignore when your client for a secured connection complains about non-matching keys.
I'm truly amazed that Charter and the FBI blew you off like this.
You've already tried going through channels so the next step is embarrassing them into doing something about it - notifying news media outlets and posting to slashdot are probably all you can do though. If Charter has any specific usenet groups like @Home used to have, I'd post this info there as well.
Best thing would be to get this on TV as then they can't ignore it. Charter is based in St. Louis and I'm sure one of the consumer affairs reporters at one of the TV stations in town would be interested in finding out that the major ISP in town is letting their users' passwords and other info get leeched.
Don't be amazed.
It's just the way they work; unless its internally generated, whether a charter, the FBI, or any other investigatory agency, they just don't want to see it; they have already got a job, things to do, and they don't want you adding to the load.
If you REALLY PUSH, they will usually put you in contact with someone who at least has a clue what you are talking about, but the first thing THEY will do, if you are a private individual, is see if you are the criminal; you are guilty until proven innocent, if you actually get them to take you seriously.
They also will have no interest whatsoever in any evidence you have gathered; they know that it won't be investigated for most likely months, so there is really no point to it.
If you encounter any behavior other than this, you should really keep it to yourself; otherwise the competent individual you encountered will most likely get fired.
I know of what I speak; I ran into some blatantly immoral(important) non-legal(not so important) activity in the past and determined to get it taken care of no matter what the cost in time or effort.
and the costs were very high.
Why, yes, I AM a Pagan Libertarian.
Unfotunately, nobody cares when it comes to the consumer. About a year ago a new vulnerability in AuthorizeNet's billing gateway was discovered that would allow someone to submit authorize-only transactions knowing nothing but your AuthorizeNet username, which was often found embedded within the various forms of an online store. One of my e-commerce clients fell victim to this, and had over 600 $0.01 authorize-only transactions submitted in under an hour. Basically what this meant was that someone was using my client's account to verify stolen credit card numbers.
Going through my logs, I was able to get the IP addresses these submissions came from, the e-mail addresses the results were sent to (not sure why they bothered with that), and all information on every single card submitted. This included the card number, expiration date, and the cardholder's name and address. I contacted AuthorizeNet but they said it wasn't their problem. I called Visa and Mastercard but they just asked for a printout to be faxed to them (600 item spreadsheet 5 pages wide). I contacted the FBI and was referred to the NSA. I contacted the NSA and they said call back Monday since at this point it was about 6pm Friday evening.
I was appalled to find out that some identifiable hacker with an arsonal of valid cards was about to be given an entire weekend to sell or use them before anyone would even consider looking into it. I couldn't even get the credit card companies to accept the spreadsheet of THEIR customers so they could at least warn them all that their cards had been compromized.
I finally just gave up and destroyed any evidence of this fraudulent activity having ever taken place. With my luck, not only would the hacker get away, but I'd be the one in hot water for posessing that spreadsheet. It just goes to show you that nobody cares about the consumer.
I'm sure one of the consumer affairs reporters at one of the TV stations in town would be interested in finding out that the major ISP in town is letting their users' passwords and other info get leeched.
They probably wouldn't touch the story. DNS is too technical, heck I'd have to explain this story to some of the support people I've worked with and then a few of them still wouldn't get it. Joe six pack doesn't have a chance, especially since they'd have to achive understanding in the few minutes the medium allows.
But he isn't a bystander. The attacker is attempting to steal his passwords (and credit card numbers for those who don't notice and sending it unencrypted). I would consider myself under attack in such a situation.
That said I am not surprised by Charter's response. I had @Home for almost two years with out technical issue (one double billing, which they resolved quickly), until they went under and I was switched to Charter's service. I spent over 40 hours on tech support with them trying to get them to finally find the missing entry in their database that was causing my service to be interrupted (I was down for 18 days). From my experience, I doubt one could find a more incompetent ISP.
This message is encrypted with Quad ROT-13 to protect the author's copyright under the DMCA.
Google, while not having a wealth of info on tdko.com, did have some useful bits: groups
I'd heard the name tdko before, I was pretty sure, in the context of a Bonza or Gator or something. They'll change your default search page in IE, etc, this sounds like just another dirty trick. I doubt they compromised the DHCP servers themselves, my guess is that some pop-up or spyware app changed your settings locally. If you did try it from multiple systems, well, they're several of YOUR systems, you may have visited to same site or installed the same spyware on each. I think eDonkey F'd with my default search page IIRC.
I like music
Send it to charter. List at the end the OTHER people to ewhom you are sending it, and you'll need to send them all snail mail, with the two (yes, two- one to the folks you spoke to, one addressed to the CEO, which will be read by a secretary and passed on to someone whose job it is to keep these things quiet) to Charter certified mail, return receipt requested. Those others will go to:
Your US congressional reps- both houses, whether you voted for them or not; (i'm assuming you're in the US, if not go for the nearest equivalent of these)
The Better Business Bureau;
the state attorney general's office
the FBI office that you contacted;
The FCC;
Anyone and Everyone whom you think might be interested, NOT counting the media. Why not? Because you want to be able to prove that you gave them a chance to correct the problem before you take it further. You are certainly allowed to suggest that it might be possible, but mention first that you need a written response from them telling what they plan to do about this (tell them what you want this to be), and mention that you will seek the assistance of a lawyer if this clear threat to you as their customer is not immediately remedied.
Keep a copy of the letter. Offer to send supporting evidence AS SOON AS they have officially begun their remedial actions and you have received initial results. (or you may wish to send it sooner, at least the info that you feel comfortable having random secretaries seeing.)
IANAL, but I have good reason to recommend this method. Incidentally, it works for a LOT of customer issues, and you have to be sure to send out copies of follow-up letters to the same set of people. Make sure to document hours spent working on it, and all the people whom you've spoken with and when. Media is for after their failure to remedy the matter after 1 letter, just add it to the CC list. You might try writing the second letters as two- one to the company, one to the attorney general or congressional folks, and the other to the company, and include copies of both in the envelope to the company. Their failure to help is against entirely different laws. Use the words "acted in bad faith."
be persistent. It helps.
"I'd say 'Have a good time,' but arson is still illegal.
The problem with "working up the ladder" is that you're dealing with folks who are just cogs in the machine. Either they're hemmed in by procedures, or they afraid to stick they necks out. Probably both.
Of course, it's still likely that whoever you get in contact with will just blow you off. That's especially true if the company has legal exposure. (As an ISP in this situation certainly would!) But at least you'll know that people with actual decision-making powers are aware of the problem.
While you may think im joking i am serious.
None of this stuff is to protect the citizens. unless you are a large corporation or an elected official you are out of luck.
Im surprised they even talked to you at all personally. Even small companies have a hard time getting any help, they are too 'trivial' to bother with.
Not saying i agree, its just reality.. they DONT CARE about 'us'.
---- Booth was a patriot ----
It means what we already knew: That you as a single person are of no value to your government. This is the real world in which corporations can get tax breaks, get away with multi million dollar fraud, sic the feds onto you for sharing an mp3, sue you for your life's savings and the world in which you are powerless. It's exagerated but this is why communism was so popular in the early 20th century. The commies promised to put the rich fuckers up against the wall and shoot them. (They did this of course, but thereafter they were the one's treating you like shit)
...and perhaps you should check your hosts file in c:\windows\system32\drivers\etc as well ;)
The next time you think big business and globalisation is fine and that those pesky anti-war demonstrators should get locked away, think of this again.