Slashdot Mirror
Getting Law Enforcement Action for a Large-Scale Hack?
"So I determined that I was connecting to xxx.p5115.tdko.com instead of xxx. I started looking at dns settings. Of course, under Windows, the default is to accept the default dns domain specified by a DHCP server for the PC's ethernet connection. There are settings to disable this, but I hadn't thought about it until now. It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47).
On these IPs were some phantom services. There were proxying web servers (presumably collecting cookies and username/password combos), as well as an ssh server where the perpetrators were most likely hoping people would simply say 'yes' to the key differences and enter in their username/password.
Has anyone else seen this type of attack before? Pretty sneaky. I bet it would slip by most people that don't use anything but a web browser. This makes me want to step up my plans to put an OpenBSD firewall in place and allow it as little trust of the outside world as possible, providing more trusted DNS/DHCP services to the hosts on my network. It would be nicer to be able to boot the thing self-contained-and-configured off read-only media and have no writable access to anything from the operating system to totally prevent break-in/tampering.
With respect to the law enforcement issues. I first called Charter, and after 10 minutes on hold was told to submit a report to their abuse account. I asked the tech support rep if they really wanted me submitting the incident report through a hijacked proxying web server. I hadn't yet reconfigured my Windows systems because I wanted to collect as much information as possible while the attack was still live. The long and short from the tech support rep was they'd look at it, but couldn't do anything with respect to responding to me about it unless I submitted that report.
I moved on to calling the FBI. The after hours person had no idea what evidence collection procedures I should follow, nor if their office would even be interested in investigation. I was told to call back during business hours. I did a little searching and found the National Infrastructure Protection Center. I gave them a ring and was asked to fill out an incident report. I was told it would be reviewed in the NOC quickly and a decision made about further investigation. The rep answering the phone said to collect any and all information I could think of regarding the attack. I got a response later this morning that their NOC personnel had evaluated the report and decided not to investigate further.
I called the FBI back this morning, only to be told they generally didn't investigate these types of crimes for individuals, but usually only for companies that had lost at least a couple thousand dollars. To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?
With respect to getting some action on any future attacks - what should I do? Who should I call? I'm not a h/\x0r, and I have reasonable investigation skills, but aren't there professionals doing this to uphold the law? What's the point of all those federal laws anyway? Monitoring of third party communications, without the consent of either party; unauthorized access to Charter's systems - the list can go on a lot further depending on the activity happening at those proxying servers. Are these laws just tools to oppress unpopular computer criminals but just plain not enforced most of the time?
I found this situation and particular method of attack interesting... hopefully this was fun to read. If you have suggestions for what I should do in the future to handle attacks, I'd love to hear about it!"
It has been my experience that unless there is some large monetary losses involved, then you're going to have a hard time getting law enforcement to do much of anything. Generally, for simple break-ins, they expect you to handle it yourself (typically contacting the ISP of the hacker).
When all else fails, run.
The computer police too. I've been mugged, robbed, and assulted multiple times in my life, and the police were never interested in helping. My car was just broken into, and I had $4000 in computer equipment stolen out of it. I called to file a report and have them come down and dust for prints, and they said that they can't send anyone down.
Of course, I've been stopped and harrassed by cops on a number of occasions. My brother gave me a small cut in a fight that required stitches, and they investigated my parents for child abuse. I've been accused of possessing marijuana for having a tomato stem in the cup holder of my car. I have to drive through a police checkpoint every day on the way back from work on highway 15 in San Diego. After I hit a spare tire that flew off the back of a car in front of me, the police officer wanted to write me a ticket because he was upset that he had to drive out a take a report.
I'm a law abiding citizen without a mark on my record, and I can still say: fuck the police
LS
There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
They are there to protect businesses and the government itself.
This is a disturbing trend in the United States of Lawyers and short of a revolution there is not much that can be done to reverse it. Just look at the article from yesterday where Oral Hatch wants to exclude copyright owners from anti-hacking laws so they can destroy a personal computer. It's sad and scary.
What the USL needs is a new Bill of Rights that protects people from corporations.
I say this only partially in jest, but maybe try contacting the dept of homeland defense, or GWB himself or something. Call it terrorism, they'll be shut down faster than you can say "foo".
Seriously though, with the increase in the gov't involvment and crackdown on cyber terrorism (or they say there is) isn't this a prime candidate?
That said, it's scary that the ISP doesn't seem to give a fark about this. If I was in charge of their security I'd be fixing this as quickly as possible, not letting my company's customers continue to use a compromised service. Wouldn't it be considered negligence to allow your customers to continue using a server you know to be compromised (ie: not changing the DHCP server back, or simply shutting down all access)? Personally I'd much rather loose my net access for a bit while this is cleaned up than my ISP knowingly let me proxy through sniffers and password grabbers.....
It sucks that the law-enforcement agencies won't help private individuals; however, since it's a company that's being hacked, they should be able to put their resources on it.
The problem here seems to be this: the company has been hacked and it's the customer researching the problem and trying to get help. The FBI isn't particularly interested in hearing some guy talk about a compromise of someone else's server -- hopefully Charter is dealing with them and the agents shouldn't be keeping you informed of the status of an investigation to which you're basically a bystander.
Sorry, HeelToe, you're being a good guy and did the best you could. Now, it's between you and the ISP.
What I'm listening to now on Pandora...
*They* will certainly care about a hijacked proxy achiving account numbers and sniffing passwords. Now, when they call your ISP - I bet they would take immediate notice.
-- your Web browser is Ronald Reagan
Have you tried running Spybot or Adaware lately? If you try going to p5115.tdko.com, you'll find it's a website for lop.com. Which, incidentally, is an infamous purveyer of spyware:
http://www.spywareinfo.com/articles/lop/
"People that quote themselves in their signatures bother me" - athakur999
I'm truly amazed that Charter and the FBI blew you off like this.
You've already tried going through channels so the next step is embarrassing them into doing something about it - notifying news media outlets and posting to slashdot are probably all you can do though. If Charter has any specific usenet groups like @Home used to have, I'd post this info there as well.
Best thing would be to get this on TV as then they can't ignore it. Charter is based in St. Louis and I'm sure one of the consumer affairs reporters at one of the TV stations in town would be interested in finding out that the major ISP in town is letting their users' passwords and other info get leeched.
Send it to charter. List at the end the OTHER people to ewhom you are sending it, and you'll need to send them all snail mail, with the two (yes, two- one to the folks you spoke to, one addressed to the CEO, which will be read by a secretary and passed on to someone whose job it is to keep these things quiet) to Charter certified mail, return receipt requested. Those others will go to:
Your US congressional reps- both houses, whether you voted for them or not; (i'm assuming you're in the US, if not go for the nearest equivalent of these)
The Better Business Bureau;
the state attorney general's office
the FBI office that you contacted;
The FCC;
Anyone and Everyone whom you think might be interested, NOT counting the media. Why not? Because you want to be able to prove that you gave them a chance to correct the problem before you take it further. You are certainly allowed to suggest that it might be possible, but mention first that you need a written response from them telling what they plan to do about this (tell them what you want this to be), and mention that you will seek the assistance of a lawyer if this clear threat to you as their customer is not immediately remedied.
Keep a copy of the letter. Offer to send supporting evidence AS SOON AS they have officially begun their remedial actions and you have received initial results. (or you may wish to send it sooner, at least the info that you feel comfortable having random secretaries seeing.)
IANAL, but I have good reason to recommend this method. Incidentally, it works for a LOT of customer issues, and you have to be sure to send out copies of follow-up letters to the same set of people. Make sure to document hours spent working on it, and all the people whom you've spoken with and when. Media is for after their failure to remedy the matter after 1 letter, just add it to the CC list. You might try writing the second letters as two- one to the company, one to the attorney general or congressional folks, and the other to the company, and include copies of both in the envelope to the company. Their failure to help is against entirely different laws. Use the words "acted in bad faith."
be persistent. It helps.
"I'd say 'Have a good time,' but arson is still illegal.