Getting Law Enforcement Action for a Large-Scale Hack?

HeelToe asks: "Two nights ago, I sat down to do a few chores with finance websites and check my mail. To check my mail, I use an ssh connection and read it via mutt. I had already hit Slashdot for my semi-hourly dose of content, but then noticed my ssh client complaining about a difference between its cached copy of the server key and the server key presented, so I started investigation. After figuring out what was going on, I contacted the tech support line for my service provider (Charter Communications) to no avail, as well as the FBI and NIPC, again, both to no avail. There are all these laws and all this hype about enforcing these computer crime laws - what must an end user do to get some enforcement done? Read on for more, much more..." Update: 06/21 19:13 GMT by C :As it turns out, the issue wasn't a hack at Charter but a particularly nasty form of Spyware. Stll, the question is valid, and some of the suggestions already given, have been real informative. Keep 'em coming!

"So I determined that I was connecting to xxx.p5115.tdko.com instead of xxx. I started looking at dns settings. Of course, under Windows, the default is to accept the default dns domain specified by a DHCP server for the PC's ethernet connection. There are settings to disable this, but I hadn't thought about it until now. It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47).

On these IPs were some phantom services. There were proxying web servers (presumably collecting cookies and username/password combos), as well as an ssh server where the perpetrators were most likely hoping people would simply say 'yes' to the key differences and enter in their username/password.

Has anyone else seen this type of attack before? Pretty sneaky. I bet it would slip by most people that don't use anything but a web browser. This makes me want to step up my plans to put an OpenBSD firewall in place and allow it as little trust of the outside world as possible, providing more trusted DNS/DHCP services to the hosts on my network. It would be nicer to be able to boot the thing self-contained-and-configured off read-only media and have no writable access to anything from the operating system to totally prevent break-in/tampering.

With respect to the law enforcement issues. I first called Charter, and after 10 minutes on hold was told to submit a report to their abuse account. I asked the tech support rep if they really wanted me submitting the incident report through a hijacked proxying web server. I hadn't yet reconfigured my Windows systems because I wanted to collect as much information as possible while the attack was still live. The long and short from the tech support rep was they'd look at it, but couldn't do anything with respect to responding to me about it unless I submitted that report.

I moved on to calling the FBI. The after hours person had no idea what evidence collection procedures I should follow, nor if their office would even be interested in investigation. I was told to call back during business hours. I did a little searching and found the National Infrastructure Protection Center. I gave them a ring and was asked to fill out an incident report. I was told it would be reviewed in the NOC quickly and a decision made about further investigation. The rep answering the phone said to collect any and all information I could think of regarding the attack. I got a response later this morning that their NOC personnel had evaluated the report and decided not to investigate further.

I called the FBI back this morning, only to be told they generally didn't investigate these types of crimes for individuals, but usually only for companies that had lost at least a couple thousand dollars. To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?

With respect to getting some action on any future attacks - what should I do? Who should I call? I'm not a h/\x0r, and I have reasonable investigation skills, but aren't there professionals doing this to uphold the law? What's the point of all those federal laws anyway? Monitoring of third party communications, without the consent of either party; unauthorized access to Charter's systems - the list can go on a lot further depending on the activity happening at those proxying servers. Are these laws just tools to oppress unpopular computer criminals but just plain not enforced most of the time?

I found this situation and particular method of attack interesting... hopefully this was fun to read. If you have suggestions for what I should do in the future to handle attacks, I'd love to hear about it!"

Call tech support, but

[aridhol]

If you can't get the tech support to help, try escalating and turboing the problem. Eventually, you'll talk to someone at the ISP who can or will do something. If not, it's time to get a new provider.

It sucks that the law-enforcement agencies won't help private individuals; however, since it's a company that's being hacked, they should be able to put their resources on it.

Re:Call tech support, but

[Otter]

(Wow, 32 comments and no one has told him it's his fault for using Windows?!?)

It sucks that the law-enforcement agencies won't help private individuals; however, since it's a company that's being hacked, they should be able to put their resources on it.

The problem here seems to be this: the company has been hacked and it's the customer researching the problem and trying to get help. The FBI isn't particularly interested in hearing some guy talk about a compromise of someone else's server -- hopefully Charter is dealing with them and the agents shouldn't be keeping you informed of the status of an investigation to which you're basically a bystander.

Sorry, HeelToe, you're being a good guy and did the best you could. Now, it's between you and the ISP.

Re:Call tech support, but

Call Homeland Security. Tell them you want to report a terrorist attack.

Re:Call tech support, but

[dszd0g]

But he isn't a bystander. The attacker is attempting to steal his passwords (and credit card numbers for those who don't notice and sending it unencrypted). I would consider myself under attack in such a situation.

That said I am not surprised by Charter's response. I had @Home for almost two years with out technical issue (one double billing, which they resolved quickly), until they went under and I was switched to Charter's service. I spent over 40 hours on tech support with them trying to get them to finally find the missing entry in their database that was causing my service to be interrupted (I was down for 18 days). From my experience, I doubt one could find a more incompetent ISP.

Re:Call tech support, but

[Greedo]

This post not intended to constitute legal advice: if you need such advice, see an attorney, not slashdot.

Ah ... so that's what I've doing wrong all these years.

Re:Call tech support, but

[Otter]

But he isn't a bystander. The attacker is attempting to steal his passwords (and credit card numbers for those who don't notice and sending it unencrypted).

Sure, I understand that. But that doesn't translate into the FBI's dealing with him as though he were the party under attack. They're going to want to deal with the ISP. His case is against the ISP, not the hacker.

It may be unfair, but it's the way it is.

Re:Call tech support, but

[TheCarp]

Hmmm seeing your comment I am inspired...

Play hardball... if the ISP is refusing to admit that their machines are hacked, then they must be doing this on purpose.

I would report to the FBI that the ISP is redirecting all traffic and running man in the middle attacks on you and their other customers and you have discovered it...

If it works, then that at least gets the ball rolling on the investigation and when they find out that the ISP is a hapless victem, then they will have the full attention of the ISP directly in dealing with the issue.

Oh yea... and get a better ISP.

-Steve

Re:Call tech support, but

[insanechemist]

Charter is a big bag of p**p. We used them for two buildings that couldn't get DSL and the modem was up and down for the better part of the first 6 months on one building. Finally they acknowledged it may be a hardware issue and came out - it was. They had done a crappy cable install and one of the connections was breaking randomly. After that we had OK service for a short while - except when they finally admitted the network was unstable and had to do a full scale modem swap out. I called to find out what the new problem was (our modems at that point were no longer working more than one hour per day on average) and NEVER gat a call back from the corp. sales cheeze whiz. Dumped them and moved to DSL - no unplanned disconnects yet! We have a VPN so any down time is quickly noticed when the big whig can't get his email.

Re:Call tech support, but

[gooberguy]

Charter is a big bag of p**p.

When did "poop" become a swear word?

Post it to Slashdot

[ites]

Which will do two things:

1. you will get realtime help. OK, there are better ways but this is a _big_ audience you have here.

2. post a link to the offending server, and the /. effect will wipe it out.

Money == attention

[Whammy666]

It has been my experience that unless there is some large monetary losses involved, then you're going to have a hard time getting law enforcement to do much of anything. Generally, for simple break-ins, they expect you to handle it yourself (typically contacting the ISP of the hacker).

This is giving me the cold sweats

[Glyndwr]

I bet an attack of this nature turns up an absolute shedload of valuable, confidential information, and I bet there are plenty of pissant ISPs in the world with poorly configured DNS servers too. How often has this kind of attack been found? I'm suddenly real glad I run my own DNS server behind my firewall.

"No financial losses" my ass. Lets see what Visa's customers have to say about that when the logins for half a million credit card e-banking systems get compromised. Hmm, almost makes me wish I could detect a similar attack so we could see what the UK police would do. "Intarweb, sir? Nah, not on our patch, you seee...."

Re:This is giving me the cold sweats

[platypus]

You can't. But fortunately, exactly that (and more) is what server keys and challenge auth is for. So never, never! ignore when your client for a secured connection complains about non-matching keys.

Re:This is giving me the cold sweats

[GreyPoopon]

I bet there are plenty of pissant ISPs in the world with poorly configured DNS servers too

I think I've protected myself from this kind of thing. I've hard-coded the numeric IP addresses for DNS servers. Somebody correct me if I'm wrong and should be worried.

No you were running spyware!

There is spyware which changes your default domain ( overrides DHCP). It's by a company from the UK I can't remember their name. It's your own fault for using IE.

Re:No you were running spyware!

[bsiggers]

Sssh! No good advice here!

Re:No you were running spyware!

[cruelworld]

Only a terrorist would suggest something like that! You're in on it aren't you!!! Goddamnit, I knew I shouldn't have sent my tinfoil hat out to be drycleaned.

Re:No you were running spyware!

[HeelToe]

Actually, it was not spyware.

I queried the dhcp server from a unix-alike box and got the same response back from it for the connection's dns domain as I did under windows. The DHCP server was handing it out for sure.

Re:No you were running spyware!

[plover]

I run Spybot S & D, from http://security.kolla.de. It does a pretty good job of cleaning up these infections. It got rid of Xupiter, which was my first personal infection by spyware (or any virus for that matter.) I then asked my kid to stop running Morpheus and switch to Gnucleus. (I've since asked him not to participate in any file sharing at all because of all the legal crap flying about.)

Of the bad ones, Lop (which you have) is far and away the most difficult to get rid of. It has many separate components, a Browser Helper Object, an executable launched at startup via an entry that's in your registry's HKLM/Software/Microsoft/Windows/CurrentVersion/Run key, (and possibly in RunOnce and/or RunServices, plus in the same path under each user as well), and others. I think it may even replace your WSOCK32.DLL but I don't remember if Lop is that one. If it is, it certainly would explain why your DNS went haywire. The deal with Lop is that all these components watch over each other. If you delete or disable one component, the others silently patch the hole next chance they get.

To answer your question, I've never heard of it affecting a firewall/router. (I kind of assume you're running a Linksys, but regardless of the make & model make sure you don't still have the default password on it.) If Lop patched your winsock layer, the Windows box would be completely unable to tell you the truth about DHCP or DNS.

It's not quite as bad as kudzu, but it's definitely not something you want.

Anyway, I've found Spybot S&D to be a most excellent tool with frequent and current updates. It's the first thing I run every time I visit friends or family and they want me to look at their computers. It's also free, (but donations are welcome.) I switched from the paid version of AdAware+ after they failed to release V 6.0 on time. I do wish that the anti-virus vendors would block some of this crap.

Other things I run to defend my Microsoft equipment from this stuff?

• I run BHOCop occasionally, which lets me manage "Browser Helper Objects". The only BHO I allow is Acrobat.
• I use StartupMonitor which watches all the startup registry keys, the "Startup" folders, the system services, and the Autoexec and Config files for changes and it pops up a confirmation message box before allowing any changes that would allow a new program to run on startup. If something wants to run at startup, I think I should know about it. It used to be freeware, but I think the magazine that sponsored it now wants $20.00 for it. I suppose I'll just have to get off my butt and write one (it's about a dozen Win32 API calls.) And while I'm at it, I think I'll have it watching for BHOs at the same time, and try to kill two birds with one stone. I don't like how it doesn't play nice with multiple users under XP anyway.
• I run Mozilla as my primary browser. None of the spyware fiends seem to have targetted it. And it doesn't run stupid objects. But, I still have IE as the default browser because on Windows, there are some things that just have to have IE.
• I run the Proxomitron as an ad-filtering proxy, so I added certain anti-spyware checks into it.
• My son likes running Zone Alarm to keep an eye on what's leaving his box, but I found it kind of annoying so I removed it from mine. It doesn't really prevent much, per se, but it does let you know you're infected.
• I tried creating directories for the default paths of Xupiter, Kontiki and others, and used CACLS to have NTFS remove all access. That was kind of a mistake, because even I couldn't get rid of them after that.
• Finally, I had entries in my hosts file for the sites of the known worst offenders (lop, xupiter, bonzi buddy, gator, kontiki) so that even if something slipped thru, I wouldn't be accidentally talking to them. But I ended up with over 1600 lines in my hosts file, though, and name resolution started taking way too

If You're Not Corporate, You're Little People

[Master+Bait]

...called the FBI back this morning, only to be told they generally didn't investigate these types of crimes for individuals, but usually only for companies that had lost at least a couple thousand dollars.

I really don't know what to say, except what I put in the subject line. The subject was lifted from the famous line in Blade Runner, "If you're not cop, you're little people." These days, money incurrs rights and protection granted by the government. Odd how things have turned out, eh?

Re:If You're Not Corporate, You're Little People

[realdpk]

Well, sure, but it's not like the FBI has unlimited resources either. I don't think it's necessarily right to expect them to investigate every little SSH key popup you get, or SSL cert change, etc.

If someone really did hijack Comcast's DNS servers, Comcast ought to be the ones calling, in any case. If you're worried that someone else's DNS servers will be compromised, host your own locally.

Re:If You're Not Corporate, You're Little People

[bourne]

I really don't know what to say, except what I put in the subject line.

You're overreaching a bit.

The end-user isn't an official representative of the victim. Obviously, law enforcement isn't going to deal with him. Firstly, for (the feds) to get involved, they need at least $5000 damage, which he couldn't speak to. They're not going to waste their time unless there is a willingness to prosecute, which - guess what - also requires an offical representative to commit to. Finally, if they do get involved, their next step is to ask for logs and other evidence - which, at best, the end-user only has symptoms of. Again, they need to deal with the duly authorized representative of the ISP to get anywhere.

From the sound of it, they actually went out of their way to try and help him reach the minimums to be considered a valid case himself. That's actually pretty amazing by itself.

Re:If You're Not Corporate, You're Little People

[InsaneGeek]

In general the reason being: it's not a federal issue until it hits >$5,000 in damages. Until then you are supposed to deal with your local organizations (there is a reason for your local government, you know. Does one go directly to the CEA to get more toiletpaper in the batchroom?).

In this case specifically a resonable analogy would be, a technically competent end-user in a corporate environment doesn't contact the FBI their IT dept does. The user here doesn't have control over the DHCP/DNS servers, doesn't manage them in anyway. What do you expect from a federal organization in this situation... 20 feds flown down to look at an end-users system that hadn't receive any monetary losses yet?

A more defined notification authority would be nice, but you can't expect every single end user to call the FBI. As an end-user contact you local officials you are paying taxes for them, if you are the owners of the compromised systems and you incurred financial loss then you can bump it up to a federal level (remember local/state organizations can sometimes even provide better service than the FBI, and then there are some that are stupid)

Who did you talk to?

[arcsine]

I'm not sure if you came off the right way. You may have wanted to ask to talk to a manager at an ISP and explain to them that it wasn't *your* problem, but *their* problem.

Most of the tech support people are used to handling stupid people with simple problems, and probably didn't believe, or realize how bad the actual problem was.

Domain suffix fun..

[wfberg]

The domain suffix on windows is fun. It uses the domain name in your hostname as a domain suffix to search as well. One day, I'd set up my windows box as mybox.mydomain.com. Then my ISPs DNS servers stopped working. So when I went to cnn.com, it went to cnn.com.mydomain.com - and I got my very own homepage, even though the address bar in the browser said cnn.com (since *.mydomain.com resolves to mydomain's webserver's IP address..)

I also have my webserver set up so that if you surf to a hostname that doesn't exist, it serves up the google I'm Feeling Lucky page for the hostname.. "Collecting ancient art? Why, I happen to have a website on that, just go to collecting.ancient.art.mydomain.com."

Re:Domain suffix fun..

[Jellybob]

The address doesn't work.

I just get a bunch of stuff about buying domains.

Re:Domain suffix fun..

[akeru]

ahh yes, DNS domains . . .
well, it's not just Windows that does that it is, in fact, part of address resolution that the first thing that gets checked is .. and then . You can get around it by manually adding the '.' to the end of the domain. Try http://www.cnn.com./ and watch it go to the correct place. (Assuming cnn.com. doesn't redirect you to to cnn.com, which would be looked up according to the usual rules)

There's your problem...

You called Chater tech support?

It's a wonder they didn't tell you to reboot your modem, reboot your PC and verify that the network card is listed in Device Manager.

That's about all I've ever gotten out of them.

They've got to have some guidelines...

[TopShelf]

To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?

So many reasons, it's hard to count! But here's a couple for starters:

1) Your Mitnick example was how evidence was used in court to determine guilt and sentencing. That is a different animal than investigatory guidelines as to which cases should be pursued.
2) The Mitnick thing was years ago, and activity is so much higher now that they might have set the bar higher in terms of what cases to pursue.

Escalation?

[kjs3]

Did you try to get escalated to a higher support tier or to a supervisor? I've found that generally works as long as you are persistent.

Level 1 support at most ISPs don't have any technical skills. They walk through a series of scripted interactions and weed out the 99% of calls that are simple to solve. Good for the ISP, but bad for the 1% highly technical callers.

It's also possible that there is a specific security group that you could contact. You might have to be persistent to find them, however.

Re:Escalation?

[taverngeek]

What you needed to do was ask for the ISP's security dept saying that their systems had been compromised and that their systems were now being used to attempt to compromise your and presumably other customers data.

Well, you have done some good here already.

[OwnerOfWhinyCat]

Every admin who has been reflexively typing 'yes' to the

The RSA host key for yoursite.com has changed, use new key?

prompt is now shuddering to think how many passwords s/he might have handed the "Man in the Middle."

Good Job.

Re:Well, you have done some good here already.

[aridhol]

Of course, that only affects those who use passwords for SSH. I generally prefer RSA user authentication. One of the reasons is laziness - I only have to enter my key's password once, and it authenticates to SSH servers for me. And, of course, there's security. Because I don't enter my password over the wire, there's no way for it to be intercepted.

Re:Well, you have done some good here already.

[CorwinOfAmber]

Of course, that only affects those who use passwords for SSH.

No, a successful man-in-the-middle attack will affect anyone using SSH, whether they use passwords, RSA keys, or anything else.

Because I don't enter my password over the wire, there's no way for it to be intercepted.

Not your login password, no. But anything else you enter or view can be. Su to root? Now they know your root password. Read your mail? They did too.

Contact the police local to the offenders

[c0d3h4x0r]

Lookup the IP registrations, find the owners' locale, and then contact that local police department. Tell them a federal crime (felony) is being perpetrated on a grand scale, and that you need to speak with someone with extensive computer/internet/technical knowledge to report all the details.

F*ck the police

[LS]

The computer police too. I've been mugged, robbed, and assulted multiple times in my life, and the police were never interested in helping. My car was just broken into, and I had $4000 in computer equipment stolen out of it. I called to file a report and have them come down and dust for prints, and they said that they can't send anyone down.

Of course, I've been stopped and harrassed by cops on a number of occasions. My brother gave me a small cut in a fight that required stitches, and they investigated my parents for child abuse. I've been accused of possessing marijuana for having a tomato stem in the cup holder of my car. I have to drive through a police checkpoint every day on the way back from work on highway 15 in San Diego. After I hit a spare tire that flew off the back of a car in front of me, the police officer wanted to write me a ticket because he was upset that he had to drive out a take a report.

I'm a law abiding citizen without a mark on my record, and I can still say: fuck the police

LS

Re:F*ck the police

[druxton]

I've been mugged, robbed, and assulted multiple times in my life

Ever thought of moving?

Re:F*ck the police

[Dr_LHA]

Agreed entirely. You're story is one I've heard a thousand times, and one I've experienced myself. I was once when I was 16 years old knocked of my bicycle by a guy in van. The police got involved as I was pretty seriously injured (an almost ran over by a bus as part of the incident). Turns out the guy has no driving license, insurance and has not paid his car tax. He shouldn't have been driving the van in the first place.

I was told in no uncertain terms that the guy would not be procescuted in any way.

Just like you I've also been hassled by te police on many occasions for no good reason, been forced to show ID for such crimes as "walking home after 3am" etc. I know that police have a hard job to do, but really they need to remember that their motto is "To Protect and Serve" not "To Hassle and Intimidate".

Re:F*ck the police

[throbbingbrain.com]

How to not get your ass kicked by the police.

Re:F*ck the police

[borgasm]

You know, you don't need to present your ID to a police officer...They can't even prevent you from walking away from them if you aren't being charged with a crime...

Read up on some ACLU stuff...their site is pretty interesting. I think they have a little card you can carry in your wallet which lists your Civil Rights. I find it very informative.

Re:F*ck the police

[ChristTrekker]

My point is - You are on your own. Carry a gun.

Darn right. Several court cases have determined that the police cannot be sued for failure to protect. That means that yes, despite the "To protect and to serve" motto, it is still your own responsibility to defend yourself. Government does not take responsibility for this, though it likes to try to take away the right.

Sort of ironic thing is, though, that some cops in CCW states (where carrying a weapon is obviously legal, as if the 2nd Amendment didn't make it obvious enough) were asked what they would do if, during a routine traffic stop with a completely ordinary driver, they happened to notice a gun in plain sight. There were responses like, "Call for backup, you never know if the guy is a nut," and, "Get him out of the car to cuff him and then hold on to the weapon." You'd think the police would have a better understanding of what it means for citizens to act legally and within their rights. Unfortunately, many (not all, and I wouldn't even say most) cops have an "us vs. them" attitude.

Re:F*ck the police

[Badanov]

No, they can't prevent you from walking away but once the officer issues an instruction for you to stay and talk to him, or any other order as a part of his duties, you are obliged to obey it

Failure to do so makes you subject to arrest for failing to obey an officer. Once you are under arrest, the game is over. You can be searched and the offier may then proceed with his 'investigation.'

I think reading and believing what the ACLU says about anything is a lot more likely to get you arrested and jailed than simply obeying and cooperating with that officer ACLU or not, until that police officer dismisses you in the course of the lawful discharge of his duties, you are obliged to obey his lawful orders.

Re:F*ck the police

[bluGill]

True, if a police office orders you to do stay and talk, you must stay. However there is no requirement to talk. If the officer demands identification and doesn't need it (He must charge you for a crime unless you are in a car, or other situation where you must present id, not all of which I know), you should not give it. You should however demand his badge id, which he is required to give you. If the officer needs identification, which will be most of the time they ask, provide it.

Anytime you think a cop is doing something wrong, or even questionable, get his badge id. Write it down. If the cop has a pen and refuses to lend it to you to write his id number down, that is his right, but be sure your complaint includes how unhelpful he is. The badge id is the best way to ensure that the cop causing you trouble gets into trouble. Trouble that appears on his record. It may or may not result in action, but it normally stays on the record. If this is an isiolated incidence we can all forgive it, if this is not, eventially someone will make a big stink about it, and then all the other incidences will come to light.

BTW, make sure you save those badge ids yourself, along with a note on exactly what happened. If you hear about some officer doing "bad things" (which normally means bad enough that it gets attention, may or may not be really bad), contact a reporter, and suggest that they examiningg that officers files to make sure your report is there. They might not be able to, but it makes a really good follow up story to be able to say that the officer did "bad things, of other nature" before and nothing was done about it. Makes a local story into headline news all over the state, and reporters love that.

Read the Cuckoo's Egg.

[Jon+Abbott]

The book Cuckoo's Egg by Cliff Stoll deals with this issue specifically... Someone kept hacking the author's computers at Lawrence Berkeley National Labs (coincidentally, that makes twice in two days that I've mentioned a National Lab on slashdot), and he has to convince the authorities that it is truly worthy of investigation... The FBI points him to the CIA, the CIA points him to the FBI, so a lot of the story deals with the social engineering required to get the authorities to actually listen. It's really a great read, and you can find used copies on Amazon for a penny.

Re:Read the Cuckoo's Egg.

[ThrasherTT]

We had to read/discuss/report on this book as part of a senior-level Computer Ethics class at VA Tech. An excellent story, but perhaps a bit out-of-date nowadays.

What can you do?

[EZmagz]

There are all these laws and all this hype about enforcing these computer crime laws - what must an end user do to get some enforcement done?

Honestly, unless you're a big corporation (or at least a company with some legal weight), there isn't much you can do. Sounds like you persued some of the right avenues to go through, but from what I've seen, read, and heard, individual civilian complaints don't bring a lot of action. If you were the FBI and had very limited staff resources, and you were presented with the task of either:

helping a sole individual who had his box cracked, or

a company like eBay, who hypothetically just had their credit card db broken into and copied,

which would you go for?

Maybe I just have a pessimestic attitude towards our beautiful US government. It seems that the average joe doesn't have a lot of recourse againt stuff like this though. Hopefully our fellow /.'ers will provide stores proving me wrong. That might instill a bit of faith in my weary bones.

The Point of all those Tech Laws

[huckamania]

They are there to protect businesses and the government itself.

This is a disturbing trend in the United States of Lawyers and short of a revolution there is not much that can be done to reverse it. Just look at the article from yesterday where Oral Hatch wants to exclude copyright owners from anti-hacking laws so they can destroy a personal computer. It's sad and scary.

What the USL needs is a new Bill of Rights that protects people from corporations.

The Irony....

[Picass0]

.... what is funny here is how the Fed spends soooo much energy collecting powers over the internet that it has no idea how to use.

I think sometimes that the internet might be too big for them in it's present form. Better to break it and build something new! Something where Disney can get a signoff.

RISKS

[kzinti]

I can't help you with getting the attention of law enforcement or the service provider, but when all is said and done, I bet Peter Neuman at the ACM RISKS Digest would love to publish your story. The RISKS readers would be interested in the original hijacking, and just as interested in the lackadaisical response by those who could do something about it. The risks posed by both problems are the forum's reason for being.

LOP.COM

look it up, it matches the IPs. they're spyware. looks like they're doing some serious assholish stuff

Re:lop.com

[st0rmshad0w]

Definately. I don't think this was a man-in-the-middle maneuver (tho I admit I may be very wrong). LOP.com crap has turned up at my workplace repeatedly, usually 1 or 2 calls a week about "pop-up-porn", and they all get traced back to LOP. Their adware now has some tactic to hijack DNS settings I would imagine. Lovely. Can't someone send them an .mp3 so we can get Hatch to nuke them?

Re:lop.com

[HeelToe]

Yeah, I did think to run Spycop after this happened. It turned up nothing but a few cookies.

I explained in another post elsewhere that I did in fact use a unix-alike box to query the dhcp server and got back that connection dns suffix from the dhcp server.

Very interesting....

[arf_barf]

Is this an encouragement to hacking? I guess the moral of the story is that as long as the loot is below 10K, itâ(TM)s fairly safe for the hackers :-)

Tell them you're with

[CodeHog]

the RIAA. Then maybe you'll get action.

Douglas Adams gave a good answer for this...

[Nemus]

Apprently this problem is protected by a SEP shield(Somebody Else's Problem). Simply put, it doesn;t affect these people directly, so they could give a wingnut less.

As much pomp and posturing as some of these organizations do, in my experience, the FBI guy you talked to was right: unless its a big company that has the cash to sue the government for not enforcing the laws, or at least raise a stink about it, these organizations will do nothing.

The reason for this, as I see it, is that most of the legal side of this stuff is handled at a federal level. So if only say, 100 people or so are affected, they're simply not going to waste their time on it. The only solution I could see to this problem is that, once the general populace becomes better educated to whats out there and what all this "fancy internet stuff" means, there is the possibility that smaller, more municipal "cyber crime" organizations may spring up, to deal with complaints coming from people in their municipality. Until then, its a jungle out there, and its every man for himself.

This is standard

[alienw]

This is a very standard type of attack and a standard FBI response. FBI damage trigger is $5,000 IIRC. If the ISP calls the FBI, they can get the ball rolling. You can't, and frankly it's none of your business since it's the ISP server that got hacked. I wouldn't do anything beyond calling the ISP. You can't claim financial losses, because you didn't lose any money directly as a result of this hack.

Re:This is standard

[Spad]

I'd argue that is damn well is my business if my ISP's servers are being compromised by a 3rd party, which could result in the interception of any information I transmit online.

I assume it would be none of your business if you found out that someone was embezzling money from your bank too.

Re:This is standard

[antiMStroll]

Oh bullshit, being witness to a crime in process has legal ramifications. Granted, no one will know that you saw and didn't report it, but saying it "it's none of your business", especially when it's his traffic being hijacked, is just incorrect.

Call them Terrorists

[Alan]

I say this only partially in jest, but maybe try contacting the dept of homeland defense, or GWB himself or something. Call it terrorism, they'll be shut down faster than you can say "foo".

Seriously though, with the increase in the gov't involvment and crackdown on cyber terrorism (or they say there is) isn't this a prime candidate?

That said, it's scary that the ISP doesn't seem to give a fark about this. If I was in charge of their security I'd be fixing this as quickly as possible, not letting my company's customers continue to use a compromised service. Wouldn't it be considered negligence to allow your customers to continue using a server you know to be compromised (ie: not changing the DHCP server back, or simply shutting down all access)? Personally I'd much rather loose my net access for a bit while this is cleaned up than my ISP knowingly let me proxy through sniffers and password grabbers.....

Re:semi-hourly dose of content ?

[aridhol]

How did he go through the chaff so quickly?

http://www1.ifccfbi.gov/index.asp

[Hollinger]

Go to http://www1.ifccfbi.gov/index.asp and file a complaint. They'll follow up.

When I ran a small ISP

[astrashe]

When I ran a small ISP, our experience was the same. The law enforcement people didn't do anything for us.

It was strange, because the FBI had actually sent a couple of agents to our office to introduce themselves, pass out business cards, and the like. But when we had trouble, we called them up and those guys basically said, "there's not much we can do."

When the agents introduced themselves, they gave us a questionaire to fill out, and there was a question about encryption -- had we noticed anyone using it?

The questionaire (which I didn't complete), and the lack of response when we actually needed help, sort of soured me on the beaureau. The agents were nice guys, and I had the feeling that they were sincere when they were talking to us, but the organization itself didn't seem to be too helpful.

I don't really have a problem with them paying more attention to hacks on major e-commerce sites or banks than on my little ISP (which has long since been sold). The reality is that there's so much cracking going on, and it's so hard to track it down, that chasing small incidents isn't really practical. If a big ecommerce site gets cracked, a lot of people get hurt, the situation is really different.

The lesson that I learned is that you're basically alone when you get attacked. No one cares, and no one will help. Your ISP won't do anything, law enforcement won't do anything, and your customers will be incredibly angry with you. The only way to deal with it is to do whatever you can to secure yourself up front.

VISA would have been my next call.

[garyrich]

*They* will certainly care about a hijacked proxy achiving account numbers and sniffing passwords. Now, when they call your ISP - I bet they would take immediate notice.

Re:use of SSL/SSH

[ckaminski]

And we never will be. :-)
As the defences get better, so do the weapons.

what to do:

[Stephen+Samuel]

I can see a couple of things here:
First of all, file the report. Ask the support person if you can fax in the report because you don't want to inform the hacker that (s)he's been spotted and you are reasonably clear that you can't get a secure channel to their web server.

If they absolutely insist that you go through their web pages, then do so. Give enough information to prove that you understand what's going on, and inform the person on their support line that you'll b expecting someone to call you with a phone number that you can call them back at.

(This is to prevent impersonation. I'd actually check the number to make sure that it belongs to the company in question) -- remember, the hacker may be seing your on-line communications.

Basically, the cops are right... about the only people who can force a real police investigation are at the ISP in question. If they can show that a couple hundred (or thousand) people have been affected by this hack then the cops may get involved.

If you want to be snarky, then you can ask the name of a good local journalist that you can tell your story to.. That might also light a fire somewhere. If nothing else, people in your community need to know that their communications are being logged by someone with clearly malicious intent. Be prepared to spend some time explaining things to the reporter. Someone with the stature to get furr flying is also unlikely to have serious technical computer knowledge. Be ready with a lead-in line to get his attention fast, like:

I've got an interesting story for you.. It appears that <X ISP's> servers have been badly hacked, and some malicious entity is now snooping on the communications of all their customers. Passwords, credit card numbers and other personal information are all at risk. I've tried contacting the ISP, the FBI and a couple of other entities with no satisfiction. Are you interested?

Re:what to do:

[Stephen+Samuel]

BTW: I wouldn't be too hard on your ISP on this. They really do need to get this data into their system so that they can deal with it reasonably. Although a verbal report can give them a bit of a heads-up, a written report will give them a better idea of what they're facing and provide less risk of data-loss/corruption as a verbal report goes from person to person (have you ever played the whisper game?). Given the work you've done so far, I'd say it's worthwhile to do a little bit of bending over backwards to make sure that you can get this report into their system.

Also: they also probably get a lot of false-positives from their customers. They need enough information from you to distinguish your report from one of those. Unless your ISP is really small, the person you got on the phone is probably a low-level flunkie who's going to have to punch your report through 2-3 levels of management before it can get to someone who can properly deal with what you've noticed.

There aren't many people who can deal powerfully with a hack attack of this kind. If you're willing, you might want to let them know what else you're willing to do on either a paid, or unpaid basis.

lop.com

[athakur999]

Have you tried running Spybot or Adaware lately? If you try going to p5115.tdko.com, you'll find it's a website for lop.com. Which, incidentally, is an infamous purveyer of spyware:

http://www.spywareinfo.com/articles/lop/

My experience with the feds

[JWSmythe]

Our biggest problem isn't breakins, it's posting web site passwords on the net.. Hey, it's still someone using an illegal means to access materials (yada, yada, yada).

We do our own defenses, but I always see the users or proxies attempting crap.. I tried calling a few providers, but they're completely dense when you say "someone on your network is attacking one of my servers." Somehow they manage to get the stupidest people handling their support desk, who can't even comprehend what a server is. If you do manage to get to an abuse department, they'll rarely do much.

A few years ago, I got tired of fucking with the help-desk people to complain to, so I called the FBI. They took my information, and had an agent call me back.. It took a couple weeks to get the return call, but I did. He was actually well informed, and seemed to know at least the basics of how the Internet worked. He also said that I'd have to prove a monetary loss. The mininum amount was $5,000, if I recall correctly. It isn't enough that someone can abuse the shit out of your system, you have to prove that you were loosing money in the process.. So I have to make the decision, do I set up the system poorly enough so we do loose sales/members over fairly simple attacks, or do I just forget trying to get anyone to help.

Recently, a friend of mine rewrote a site for selling calling cards on the net.. The company is an established real-world business, they just wanted to expand... So, she spent a few months putting together a kick-ass site, with all the bells and whistles that the owner asked for.. About a month after it went live, someone started hitting it with fraudlent transactions. Even with all her normal precautions (and a few of mine), and using a 3rd party billing company with their own precautions, they still got hammered for about $10,000 worth of fraud.. The FBI was willing to take a report on this one, but never investigated, and never did anything about it.. She (the programmer) had got the IP's of the users, found out who owned the blocks. We actually knew where they physically were and told the FBI. If they were interested, they'd only need to send one agent where we told them, and close the case. They didn't. It's still an open case with no leads. {sigh}

There were IP's in two different /24's doing the fraud.. They were coming back about once per day and doing the same scam. Each one was a Internet cafe thing, so fairly obviously it's someone sitting on a public machine trying not to get caught. But, they were both at least 1000 miles from where we were, so it was pretty useless for us to catch them. It would have just been so easy for the FBI to send one agent out. $10,000 fraud on one site is nothing. I'd be more than willing to bet that they were hammering a whole bunch of sites with those same transactions.

We called the cafe owners and told them what was happening. Their suggestion was to call the police, they weren't going to stop anything. {sigh}

Knowing how bad they are to stop things, I wonder if I'm doing the wrong thing, staying on the legitimate side of things. If we can literally say "They guy sitting in this cafe is running tens of thousands of dollars in fraudelent transactions per day, and stole from us" with proof, and they won't touch it, how much evidence do they really need against someone to do something?

Ya, we see the big "some hacker caught" stories occasionally, but honestly with all the crime going on (yes, there's lots), it's only rarely that you hear about someone getting caught.

Re:My experience with the feds

[JWSmythe]

What's funny is, we get this same occasional complaint.. Joe user will mail to us, his provider, and some authority (like the FBI or whatever) saying a very secure web server is attaching him.. By very secure, I mean that the particular web server has no CGI's on it, and the firewall rules block everything but port 80.. But, I always do check out the machine (verify all binaries, make sure there's nothing wierd going on, etc, etc), and then respond to him and all letting him know it's probably just his firewall being wierd, since it's reporting port 80 traffic as a hack attempt.

It's understandable that they may get confused.. They'll start browsing to one server, but eventually requests go to other servers, or come from the wrong IP. Our big site has 16 IP's on just over half as many machines. Some of the machines use teql to manage their load across two ethernet cards, so they hit one IP, but the traffic comes back from another. I've let a few newbie abuse people know that port 80 is the web server (they had no clue), but most of them look at the reports and let the user know straight off that it's their firewall.

I'm very happy with Level3's abuse department. They're careful to forward every real abuse complaint to me quickly. There was a hosted machine broken into once that was port scanning machines, which I did unplug then fix. The hosting customer wasn't very happy that I unplugged his machine, but hey, he didn't take care of security on it, dammit. Most of the time, I think I'm being wierd that I actually reply to every abuse report, no matter how they come in.. It's wierd how many abuse reports end up going to the billing department first..

It's cool that you take care of all your abuse cases too.. We're a rare bunch out on the Internet, but we're making sure at least our chunk of the net is secure.

I agree, it's frequently older people. The worst complaints I get are from older folks who say they've been programming on the Internet for 40+ years (ummm, the 1960 Internet?). I haven't gotten many of those lately. Most of those came in back in the .com boom, when everyone thought they were experts, and were throwing crap at us most of the time. Some of them had half a clue, but it was when they first discovered netstat, and would see ports open to our web servers, they'd completely freak out.. I'd have to talk them down, and explain to them, "if you want to see pictures from our porn site, you're going to have to have a connection open to us in some way."

Law enforcement staffing

[burNtchicken]

To begin with, like many previous posts are stating, the FBI doesn't handle individual cases of home intrusion or even very small business intrusions.

The best place to call would be local law enforcement (eg. county or state). Depending on their practices, you may or may not get a response. However, the unfortunate reality is most law enforcement agencies are too understaffed and underfunded in their computer crimes departments to be able to give an effective response to individuals. This goes for organizations from the FBI all the way down to your local PD.

All of the money being currently allocated to cyber crime is more geared toward terrorism (Since that's the buzzword these days), or general attacks on public infrastructure, government and large businesses. Furthermore, attacks on individuals are so prolific that I don't think any PD would even know where to begin.

As if that wasn't enough, there is such a shortage of law enforcement professionals who understand and can perform an effective incident response, that even if such PDs and agencies had the cash, they couldn't hire many more quality people. The best security professionals often tend to make their way toward the private sector (Again serving big business or big government contracts) where they'll make real money.

Sadly, you're just not going to get much help these days from government. Someone earlier mentioned posting your problem on slashdot or somewhere else (Does anyone know of a good site to post for home incident response advice), and that's probably the best idea, because you're better off just defending yourself.

Call the big boys..

[Trunkboy]

Just report to the RIAA that these individuals were trying to rip the Madonna CD from your CD-ROM. That should do it. ;o)

Re:nothing at all

I have always been surprised by how uninterested cops are in investigating some crimes. I once had a $500 camcorder stolen while I was packing my bags into a cab right outside a hotel. The guy who took it and ran was caught on the hotel security camera, but the cops didn't even bother to come and take a look at it. They were like, "well, unless they have a full name tag on the video, it's not worth our time." I kind of understand that $500 is not worth doing facial recognition checking against some database, but you would think they would at least want a snapshot of the guys face to store in some file cabinet in case he commits a more serious crime to retrace his steps.

Kind of reminds me of Guillian's (NYC mayor) statement that letting people get away with small crimes usually leads to them committing major ones. Also reminds me of the Washington snipper case-- had the cops cared more about documenting and investigating their convenience store robbery, they would have probably been caught a lot sooner.

Do we really have so much crime in this country that the city cops do not have the resources to care about $10000 crime?

Re:Call tech support, but embarrass them too

[tigris]

I'm truly amazed that Charter and the FBI blew you off like this.

You've already tried going through channels so the next step is embarrassing them into doing something about it - notifying news media outlets and posting to slashdot are probably all you can do though. If Charter has any specific usenet groups like @Home used to have, I'd post this info there as well.

Best thing would be to get this on TV as then they can't ignore it. Charter is based in St. Louis and I'm sure one of the consumer affairs reporters at one of the TV stations in town would be interested in finding out that the major ISP in town is letting their users' passwords and other info get leeched.

THANKS FOR THE GEAR DUDE! LOVE, THE COPS

That shit was sweet. Thanks for leaving it in your car. Talk about window shoppin'!

What Mr. ScriptKiddie learned...

[Ifni]

Now the wannabe computer criminals know that there is little to no danger in pulling off such computer crimes, because those that care enough to act are too small to be heard, and those that are large enough to be heard don't care enough to act.

It is quite sad that the ISP took no interest in a breach of its own security, which only encourages future breaches, since the perpetrators know that they will get away with it, not because they are 1337 h4x0rz, but because nobody will look into it.

It won't be long before such attacks become as common place as email viruses if the proper authorities don't act now, and, more importantly, the ISPs don't take heed of this danger. Lack of enforcement does indeed encourage crime.

Writer is an idiot. He has C2Media ad/spyware!!

% whois 66.220.17.46
Hurricane Electric HURRICANE-3 (NET-66-220-0-0-1)
66.220.0.0 - 66.220.31.255
C2 Media Ltd HURRICANE-CE1076-331 (NET-66-220-17-0-1)
66.220.17.0 - 66.220.17.255

This is the infamous lop.com customized ad/spyware, see lop.com and wrn.net. The thing with the domain suffix is a trick with 127.0.0.1. This type of software typically installs a search toolbar in IE and they seem to come in a multitude of different versions. It's the worst of breed.

C2 Media claims that people click through an EULA and know what they're installing. I know all this because my Dad had a "weird extra toolbar and popups to go online gambling". He found the running binairy, I looked through a hexdump of it and there was their EULA alright. But he never saw it. This critterware can even get installed by merely mousing over a banner.

Don't believe me? Google for "lop.com, adware, toolbar"...

my ISP is Charter...

[Vaughn+Anderson]

Now what? How do I know when I am at risk? What does the normal schmo do in a situtation like this?

Should I stop accessing any financial websites that I use?

This is the one thing that's always made me paranoid, so what if I have a firewall, if my ISP is hijacked, then what do you do? It's not like I have options out here, Charter is it, unless I want to bend over for Sprint's DSL (which they charge you tons of cash to cancel your account among other nefarious things...) or satelite (ugh)

Re:my ISP is Charter...

[JohnA]

If you are using a relatively standards-based browser, and connecting to HTTPS servers, you are fine.

SSL protects against man-in-the-middle attacks through the utilization of certificate authorities. If someone intercepts your connection, they must present your browser a signed certificate. If they present the one the original site uses, they must have the corresponding private key, which is near impossible. If they present a different certificate, your browser will pop-up a warning dialog informing you of this.

The breakdown can only occur if a CA is compromised, or there is a security breach at the company providing the service over HTTPS.

Long story short, use a good browser, and pay attention to those warnings, and you'll be golden.

what to do to get some action

[prgrmr]

With respect to getting some action on any future attacks - what should I do? Who should I call?

Write your state's attorney general. Include all the information you collected, a more detailed explanation of what you posted here of the incident. Let them know you've contacted the FBI but I would lead them to any conclusions about where that is going. Request that their office look into this from both a pespective on the potential harm from the hack, and the responsibilities of your ISP to respond to, and ultimately, prevent this sort of thing.

Then, write each of your senators and your congress person. Before you do that, find out which committees they sit on and see how you can tie this in to their oversight responsibilities with regard to the various goverment offices that could be dealing with this. Point to anti-hacking legislation like the Patriot Act and anything anyone suggests, and then point out how the laws are not uniformly enforced. Point out that potential harm and not sheer magnitude of dollars expended ought to be a desiding criteria for launching an investigation, or not.

If you haven't already, fill out an incident report for your ISP to cover yourself. Those IP addresses belong to someone, and they have a responsibility in this. Whether direct, or indirect, remains to be seen.

Finally, contact your lawyer. If for no other reason, you will need some legal CYA in your back pocket as insurance, given the stir you've already started by contacted those people that you have. Not that you should have to worry about liability issues, but you never now.

HTH, good luck with it.

Simple....

[PortHaven]

If you can't beat em, join'em!

First off, do the terrifying...submit to CNN.com or ZDNEWS....

"Entire Charter One Internet Communications Divisions Security Jeopardized....what data was collected? Why was nothing done to stop this...even after a client reported the crime in progress!"

Than file a lawsuit or insinuate, by paying a lawyer to make a call and claim that his client is considering filing for damages....blah..blah..blah.

But the truth of the matter, most of our recent laws are there for two reasons.... a) to protect the powerful, b) to keep the massess subdued.

Almost none of them are designed to punish actual criminals or protect the common citizenry. Face it, our justice system in America is dying...

Re:Simple....

[Hank+Reardon]

Actually, this might not be such a bad idea.

With the over-the-top reactions reported in the media, this might be exactly what is needed to force Charter One to deal with their fucked setup.

Try calling Scottland Yard

[FreeLinux]

Here is the info on the addresses you provided.

Lop.com
Unit 12
571 Finchley Road
Hampstead
London, NW3 7BN
UK

Domain name: LOP.COM

Administrative Contact:
Live, Media webmaster@lop.com
Unit 12
571 Finchley Road
Hampstead
London, NW3 7BN
UK
+ 44 7817 130 743
Technical Contact:
Live, Media webmaster@lop.com
Unit 12
571 Finchley Road
Hampstead
London, NW3 7BN
UK
+ 44 7817 130 743

Registrar of Record: TUCOWS, INC.
Record last updated on 12-Mar-2003.
Record expires on 06-Oct-2005.
Record Created on 07-Oct-1998.

Domain servers in listed order:
NS1.LOP.COM 66.220.17.5
NS2.LOP.COM 66.220.17.5

The reason law enforcement won't investigate

[djbrums]

I worked as a security officer for many years, working with law enforcement on issues such as this. In reality, what you've run up against is a fundamental problem with computer law. Almost any offense they could charge the perpetrator with is a felony, thus the FBI should handle the case.

So what does it take to get the FBI to investigate? There are about 4 different things the bad guys could do:

• Cause $5000 worth of damages. What "damage" means is not standardized. Some district attorneys read the law as meaning $5000 worth of physical damage! In any case, most interprate this to mean $5000 in damages from the hack, but recovery time is not necessarily included. Thus, the question of whether your credit card was used.
• Breaking into a financial instituation.
• Cause a public health threat, such as by breaking into a hospital.
• Attacking the interests of the US, i.e. the gov't.

The problem is you don't fit into any of these categories for the FBI. Suppose you did come up with the required damages. Then the FBI have to choose whether to pursue your case or another. If someone else is causing more problems, they'll investigate them instead of your case. If you don't have any idea whose doing the hacking, then again they'll probably go after someone who they think is easier to catch. Last, they'll try to decide whether or not they think the case will lead to an easy conviction. If not, again your screwed.

Basically it's a matter of priorities, and this doesn't sound like a large enough hack to be more than the blip of a Cessena at an international airport full of 747's.

It sucks, but that's how it is. What would be good is if hacking resulted in a fine, or some other misdemener. Then convictions would be easy, and the bad guys would quickly learn crime doesn't pay in the small case, and the big cases result in the FBI actually going after them.

Re:The reason law enforcement won't investigate

[Jon+Abbott]

So what does it take to get the FBI to investigate? There are about 4 different things the bad guys could do:

• Attacking the interests of the US, i.e. the gov't

To add to the earlier comment, the situation with Cliff Stoll in the Cuckoo's Egg started out as a few minor hacking incidents, and was eventually traced to a group of German hackers who were stealing U.S. military documents and selling them to the KGB (and this is non-fiction!). Cliff's computers were being used as an intermediate link to other, more important computers at various U.S. National Labs and Air Force Bases. The FBI had no interest at first because from Cliff's perspective it just appeared as if somebody was breaking in and leaving an account open. The CIA had no interest at first because it didn't appear to be an international crime. Only through lots of Cliff's own investigation and persistence was he able to convince the CIA to finally listen, which uncovered the crazy ring of espionage...

The moral of the story: Not all minor hacks are minor hacks. :^)

Re:Ratchet the wench some more.

[mattsucks]

Ratchet the wench

I've never heard it called _that_ before.

your comparison...

[pulse2600]

I think your comparison to the Mitnick case is a little off. In the Mitnick case, the companies he broke into/social engineered called the federales and reported a crime on their systems. It is their responsibility to report crimes on their computer systems, and I don't see why law enforcement would respond to a call from someone concerning a crime that is not specific to that person's computer system. Technically you do not have the authority to ask the police to investigate crimes on computers you do not own or otherwise have responsibility for. That's like saying my ISP can call the police if they notice someone hacking into my computer. It's my decision or responsibility to report the crime. The hacker in your dilemma hacked your ISP, not you specifically. However it is a different matter if the hacker actually used information they collected from hacking your ISP against you - such as credit card information, SS number, passwords, whatever. At that point you can report credit card fraud, stolen identity, etc.

Compare this to a non-computer situation: If someone breaks into your house, the cops can't enter your house to investigate without your permission, even if a neighbor calls up and reports the crime.

Re:nothing at all

[realdpk]

Ha, no doubt. The police are definitely not there to serve the people. They're there, apparently, to direct traffic from parking lots (drive around Seattle at 4-5PM some time and count 'em - I've seen at least 6, in Seattle Police uniforms, indicating they're working for the city).

It sounds to me like we need to cut back on police spending if they're not going to help the taxpayerfolk.

Re:Something similar happened to me once

[SuiteSisterMary]

Why..would your...plutonium containment computer...be hooked up...to a network..let alone..a public network..such as..the...Internet...?

tdko.com

[jmichaelg]

I pointed my browser at tdko.com and found a porn shop/spam center. The spam center has the following offerings:

1. Email Extraction Software
2. Realtime IP Tracking - Buy 25,000 visitors
3. Create freedom,wealth,...

and so on.

If nothing else, the attack you describe is a way to harvest current email addresses.

up the ladder/phones calls are wrong way to turbo

This "turbo" link gives advice better than most, but it's still not right. I have read so many times on slashdot posters' advice to work your way up the chain of command in a corporation. That is inefficient and won't get you results.

The turbo article says, "phone the CEO's office". That's better, but a phone call is too easy to blow off and it easily gets lost in the shuffle.

From experience within corporations at the highest levels, here is what works best. When you get blown off by lower level tech support, immediately write a letter to the highest people in the corporate food chain, its Board members or CEO. What typically happens is the letter will be passed down the line to the High Level Person who can handle it (some VP, for example) with instructions scrawled on the letter using a pen by the CEO which says something like, "Look into this, handle it, and let me know what happened."

This is real life, people. Now you've got VPs at the highest level running around trying to solve your problem, who are required to report back quickly to a quixotic boss who has the power to fire them. This process is a model of efficiency - you quickly wrote a letter; the CEO very quickly scanned it, acknowledged the problem and quickly prescribed that a solution be found - and now the engines of the corporation are at work scrambling to solve your problem.

Doing it in writing makes it easier for the CEO to pass the responsibility on quickly. All he has to do is take a few seconds to read your letter, and a few seconds to delegate the solving of your problem. He doesn't even have to try to re-articulate what your problem is through phone calls and garbled telephone tag -- you've done this for him already.

So, this turbo approach gets it only half right. Yes, they're right - working your way up the ladder doesn't work, only down the ladder works. But, you've got to do it in writing, and quickly. That's the way to get fast results.

FBI is busy

[Capt_Troy]

I spoke to an FBI agent about this once. She told me that their computer crimes division is so extreemly busy that they only concerntrate on the cases involving about 250K or more since they don't have the resources to investigate everything. Additionally, she told me that when making a case to the FBI, that including your time and expenses in the initial investigation are valid monitary losses and can be included in the net loss resulting from the hack. However, you need to have suffered serious losses to get your case looked at by the FBI.

Sorry. But they are busy.

Troy

Re:use of SSL/SSH

[Rude+Turnip]

Agreed. When I need to check my confidential email, I fly from NJ to the hosting center in Texas where my domain is hosted. From there, I plug my laptop into the serial port on the server and run minicom to get in. You just can't be too careful nowadays!

Re:nothing at all

[DNS-and-BIND]

When I was involved in a computer crime case, the FBI wouldn't touch it unless it involved a loss of more than $50,000. My company claimed $300,000 in losses. They later (much, much later) revised this figure downward to $9,000 or so. By then it was too late, the FBI was involved and now a man is in prison because of it.

go after the next rung

[arget]

The government is worthless in this. They're reactionary, not preventative, and even then will only give you the time of day if there's hard money or data loss involved.

Charter was woefully unconcerned, and as their customer, I'd raise hell, escalating up their corporate food chain.

To get at the actual attacker, go the next rung, look at who owns/controls the IPs that you're being redirected to.

http://ws.arin.net/cgi-bin/whois.pl?queryinput=! %2 0NET-66-220-17-0-1

CustName: C2 Media Ltd
Address: P.O. Box 1113
City: Shalimar
StateProv: FL
PostalCode: 32579
Country: US

who are in turn a customer of Hurricane Electric

TechHandle: ZH17-ARIN
TechName: Hurricane Electric
TechPhone: +1-510-580-4100
TechEmail: hostmaster@he.net

OrgTechHandle: ZH17-ARIN
OrgTechName: Hurricane Electric
OrgTechPhone: +1-510-580-4100
OrgTechEmail: hostmaster@he.net

Go to Hurricane, and ask them why they're letting this go on. They'll be more concerned. You've indemnified Charter in your service agreement, most likely, and can't sue them. Hurricane has no such protection from you and will, ironically, be more responsive than your own ISP.

Re:Call tech support, but embarrass them too

[paganizer]

Don't be amazed.
It's just the way they work; unless its internally generated, whether a charter, the FBI, or any other investigatory agency, they just don't want to see it; they have already got a job, things to do, and they don't want you adding to the load.
If you REALLY PUSH, they will usually put you in contact with someone who at least has a clue what you are talking about, but the first thing THEY will do, if you are a private individual, is see if you are the criminal; you are guilty until proven innocent, if you actually get them to take you seriously.
They also will have no interest whatsoever in any evidence you have gathered; they know that it won't be investigated for most likely months, so there is really no point to it.
If you encounter any behavior other than this, you should really keep it to yourself; otherwise the competent individual you encountered will most likely get fired.
I know of what I speak; I ran into some blatantly immoral(important) non-legal(not so important) activity in the past and determined to get it taken care of no matter what the cost in time or effort.
and the costs were very high.

Re:These laws are not made for you!

[Sloppy]

Yeah, I'm getting tired of these guys. They always use the same argument, "It's not stealing! When I benefit from a law, the corporation that bought it, still gets to benefit from the same law! Laws aren't divisible and you can't 'use them up!'" the idiots say.

How stupid. These longhairs don't realize that when you use an existing law instead of purchasing a new one, you depress the legislation market. Longhairs, think about it: When you recycle legislation, your senator's next election campaign isn't getting funded. Your city councilor isn't getting his beer money. Do you expect these people to work for free? It's ludicrous. Try to imagine your communist unAmerican utopia, where founders get the laws correct one time, and then everyone lives by the same old laws. The legislators' campaign bank accounts would all be a joke, and any regular Joe off the street, would be able to afford to run against them in the TV ads.

Foreigners might even get in on it! Do want an America run by foreigners!? Do you want your senator's re-election campaign run from an office in New Delhi, by people who have never tasted apple pie or seen a baseball game? Our legislators need protection, and it should be supplied by the government itself. We should have the government hire lobbyists to lobby itself, in order to keep the jobs safe.

I'm using charter as well...

[eniu!uine]

Unfortunately I am not as technically savvy as the poster. Is there any way I can duplicate the 'investigation' to see if I get the same results at least so I know whether or not my information is being collected? I use DHCP to get my DNS, so I'm pretty much screwed if the poster is right.

Come on!

[siskbc]

First, it's quite possible those guys were hijacked too, as it's hard to believe someone would be blase enough to point the proxy to their OWN server. So we may be adding injury to insult to injury here.

Second, hey guys, the site's still up. Get off your lazy asses. ;)

Nobody cares

[hafree]

Unfotunately, nobody cares when it comes to the consumer. About a year ago a new vulnerability in AuthorizeNet's billing gateway was discovered that would allow someone to submit authorize-only transactions knowing nothing but your AuthorizeNet username, which was often found embedded within the various forms of an online store. One of my e-commerce clients fell victim to this, and had over 600 $0.01 authorize-only transactions submitted in under an hour. Basically what this meant was that someone was using my client's account to verify stolen credit card numbers.

Going through my logs, I was able to get the IP addresses these submissions came from, the e-mail addresses the results were sent to (not sure why they bothered with that), and all information on every single card submitted. This included the card number, expiration date, and the cardholder's name and address. I contacted AuthorizeNet but they said it wasn't their problem. I called Visa and Mastercard but they just asked for a printout to be faxed to them (600 item spreadsheet 5 pages wide). I contacted the FBI and was referred to the NSA. I contacted the NSA and they said call back Monday since at this point it was about 6pm Friday evening.

I was appalled to find out that some identifiable hacker with an arsonal of valid cards was about to be given an entire weekend to sell or use them before anyone would even consider looking into it. I couldn't even get the credit card companies to accept the spreadsheet of THEIR customers so they could at least warn them all that their cards had been compromized.

I finally just gave up and destroyed any evidence of this fraudulent activity having ever taken place. With my luck, not only would the hacker get away, but I'd be the one in hot water for posessing that spreadsheet. It just goes to show you that nobody cares about the consumer.

Re:Call tech support, but embarrass them too

[mitheral]

I'm sure one of the consumer affairs reporters at one of the TV stations in town would be interested in finding out that the major ISP in town is letting their users' passwords and other info get leeched.

They probably wouldn't touch the story. DNS is too technical, heck I'd have to explain this story to some of the support people I've worked with and then a few of them still wouldn't get it. Joe six pack doesn't have a chance, especially since they'd have to achive understanding in the few minutes the medium allows.

the Washington snipper

[Mantorp]

performing illegal male circumcisions, and various amputations in the DC area

This is not a Charter problem

[xrayspx]

Google, while not having a wealth of info on tdko.com, did have some useful bits: groups
I'd heard the name tdko before, I was pretty sure, in the context of a Bonza or Gator or something. They'll change your default search page in IE, etc, this sounds like just another dirty trick. I doubt they compromised the DHCP servers themselves, my guess is that some pop-up or spyware app changed your settings locally. If you did try it from multiple systems, well, they're several of YOUR systems, you may have visited to same site or installed the same spyware on each. I think eDonkey F'd with my default search page IIRC.

Re:Call tech support, but embarrass them too

[aridhol]

Simplify it without lying. Say that one of the ISP's servers has been cracked, and that this is allowing user passwords and information to be leaked. Give technical details at the end of the story, but keep the front part clear and simple.

Re:Call tech support, but embarrass them too

[ntsucks]

Here are the local TV stations for St Louis. It probably a big "who cares?" to them. They seem to like stories about lost puppies and sick kittens more than real news.

http://www.ksdk.com (NBC #1 in ratings)
http://www.kmov.com (CBS #2 in ratings)
http://www.fox2ktvi.com (Fox #3 in ratings, good investigative reporters)
(ABC affiliate gave up on local news)

Tack on Charters accounting scandals for more ammo.

Re:Call tech support, but embarrass them too

[tigris]

Heh, just thinking of my local Fox station - they'd have a field day with this:
::scary music/graphics::
"Have CABLE INTERNET? YOUR passwords are being STOLEN! CHARTER doesn't CARE! FOX 5 DOES! Story at 10"

Go to the press

[Get+Behind+the+Mule]

... and it doesn't have to be the New York Times, just get any kind of publicity. I'd be very surprised if you can't get your local TV news to run a story about this, if you tell them everything you posted. Of course, the idiots at the TV station will hardly understand a word, nor will they try, but they just love a story about eeeeeevil hacker pirate people and an unresponsive FBI. They'll run a story with pictures of computers in darkened rooms, with something that looks like the Matrix on the screen, and scary minor-key music in the background.

And some poor spokesman for Charter will have to go on the news and say some crap like "This incident will be thoroughly investigated" or "We take the security of our customers very seriously" or some similar horseshit. Either that, or the TV news dorks will say, with ominous overtones in their voice, "Charter Communications did not return our calls".

Then Charter will either have to do something about it, or they will suffer damage to their image and ultimately to their business. The latter won't help you much, but if it turns out that way, then you know for sure that you've got to stop doing business with them. And you've given them a little bit of hurt that they certainly deserve.

Mention these 3 words to your ISP

[gosand]

Mention these three words in passing when talking to tech support at your ISP: Small Claims Court

I hate our damn system where everything has to be taken to court, but it sounds like you are out of options. Get somone from the ISP on the phone, and make sure to ask them for their first and last name. Then mention that you haven't gotten any kind of reasonable response to your issue, and how you wouldn't want it to have to degenerate to a small claims court case. Ask for their manager, and I am sure they will get them for you.

If you make them aware of the issue, and they refuse to respond to it, they are negligent. For crying out loud, you are trying to HELP them. Be sure to point that out, politely, of course. Make them realize that they want to resolve the situation.

Call a TV station, then the ISP management

[Tsu+Dho+Nimh]

Make sure you can SHOW the problem to a non-technical person. If you can show the problem, contact the ISP with your best concerned citizen attitude, as if you are doing them a BIG favor by giving them some time to get ready to be interviewed on TV.

You start with a call to the highest rated local TV station and ask to speak to the "assignment desk or assignment editor" (this is the person who sends out reporters to stories). Explain to this person that a local ISP has been hacked and that customer data, including passwords and financial data, is at risk and the ISP doesn't appear to care. Repeat until you find a TV station who takes the bait. Then take one or both of the courses of action below.

ONE: Call the ISP and ask to speak to the CEO. Tell them that their servers have been hacked, that their tech support was not interested in the potential for theft/abuse of customers personal data, and that you have reported it to the local media and will be running a demo of what is going on for the reporters. Ask them to be sure to have someone on hand for a phone interview with the TV reporters so they can explain why the hacking happened and what they have done to fix the situation. Get the name and number of the person the TV reporter should call.

TWO: Call the ISP and ask to speak to their legal staff. (repeat story you tell to CEO) Ask them who is the right person for the ISP customers to send damage claims to, and also ask them to have someone on hand for the reporters to interview to explain what laws have been violated and how the ISP intends to get the laws enforced.

FBI/Federal attitude...

[gandy909]

I have 2 things that happened where the 'feds' were involved, and I can say from experience that this is exactly the response you will get from the feds for trying to do the right thing.

I have a dialup inet connection at home. Sux, but that's my only viable option at the moment. I stuck a 6.1 or 6.2 Redhat box on the modem and set it up as a firewall/default gateway for the other 3 (Windows) pc's in the house. The kids have to play online games, etc, ya know. I stupidly left the ftp server running for some reason. Worked flawlessly for 2 years. One day I came home and the box had crapped out in the midst of booting with a strange error. Finally got it up and things didn't even look right. Yup, I had finally had my first experience at being rootkit'd. Fortunately they had used a screwed up rootkit and it didn't like something about my system or the OS and it crashed on reboot.
I freaked out and called the FBI right away in case they wanted the box to 'collect forensic evidence' or something. The conversation went like this, and the money figure is the one he used:
"Hello, FBI"
"Hi, I got my computer system hacked into. What do we do now?"
"Uh, did you lose at least $50,000.00?"
"No..."
"Sorry, we could care less then. Goodbye"

My other story, and I was more upset on it, happened when I worked at the courthouse when the 'dad's'(or mom's) paid the support there so the court could track the payments, then we would deposit it and write our own check to the 'mom's' (or dad's) and mail them out. A person we sent a check to lived in an apartment, but had moved and hadn't given us his/her new address. Someone else was now living in the apartment where we sent the check. To top it off, the post office had mis-delivered the check to a different apartment in the complex. (I know, it is confusing) Anyway, the person who got the check didn't know that the person it was made out to had moved. This person, knowing it was a check for a substantial amount of money, went to the address on the envelope and told the person who (now) lived there that they would only hand over the check for a certain percentage of the amount!!! This person said she would think about it and immediately called us. At this point we have the perfect 'sting' waiting to happen, and all the authorities have to do is be present when the blackmailer returns to settle the deal! So I called the FBI and they said they didn't care, and I should call the postal inspectors office. So I did. This guy said if there wasn't 'thousands and thousands' of dollars at stake he wasn't interested in the least.
So here we have a real crime happening and no one cares, but when some kid goes out and knocks over a few mailboxes they throw the book at em. Those two events alone were more than enough to tell me to NEVER trust the federal gov't nor rely on them to do the right thing where individuals citizens are involved. and this was all before that moron Ashcroft got in charge. (who is unfortunatelly from my state, and boy were we glad to get rid if him, or so we thought!)

Re:NOT A HACK

[boredMDer]

Did you so much as read the entire body of text?
He never said that he was hacked, he said that there was some sort of DNS poisoning at his ISP's DNS servers.

it's all about cc:

[SolemnDragon]

Write a letter.
Send it to charter. List at the end the OTHER people to ewhom you are sending it, and you'll need to send them all snail mail, with the two (yes, two- one to the folks you spoke to, one addressed to the CEO, which will be read by a secretary and passed on to someone whose job it is to keep these things quiet) to Charter certified mail, return receipt requested. Those others will go to:

Your US congressional reps- both houses, whether you voted for them or not; (i'm assuming you're in the US, if not go for the nearest equivalent of these)

The Better Business Bureau;

the state attorney general's office

the FBI office that you contacted;

The FCC;

Anyone and Everyone whom you think might be interested, NOT counting the media. Why not? Because you want to be able to prove that you gave them a chance to correct the problem before you take it further. You are certainly allowed to suggest that it might be possible, but mention first that you need a written response from them telling what they plan to do about this (tell them what you want this to be), and mention that you will seek the assistance of a lawyer if this clear threat to you as their customer is not immediately remedied.

Keep a copy of the letter. Offer to send supporting evidence AS SOON AS they have officially begun their remedial actions and you have received initial results. (or you may wish to send it sooner, at least the info that you feel comfortable having random secretaries seeing.)

IANAL, but I have good reason to recommend this method. Incidentally, it works for a LOT of customer issues, and you have to be sure to send out copies of follow-up letters to the same set of people. Make sure to document hours spent working on it, and all the people whom you've spoken with and when. Media is for after their failure to remedy the matter after 1 letter, just add it to the CC list. You might try writing the second letters as two- one to the company, one to the attorney general or congressional folks, and the other to the company, and include copies of both in the envelope to the company. Their failure to help is against entirely different laws. Use the words "acted in bad faith."

be persistent. It helps.

How to make noise

[fm6]

Doing it in writing makes it easier for the CEO to pass the responsibility on quickly. All he has to do is take a few seconds to read your letter, and a few seconds to delegate the solving of your problem. He doesn't even have to try to re-articulate what your problem is through phone calls and garbled telephone tag -- you've done this for him already.

This is absolutely correct. I've done this a couple times myself. I have no idea whether the CEO him/herself actually read my letter. Probably not. But both times I got back letters from high-ranking company officials. And not boilerplate noise, either -- carefully written letters that directly addressed the issues I raised.

The problem with "working up the ladder" is that you're dealing with folks who are just cogs in the machine. Either they're hemmed in by procedures, or they afraid to stick they necks out. Probably both.

Of course, it's still likely that whoever you get in contact with will just blow you off. That's especially true if the company has legal exposure. (As an ISP in this situation certainly would!) But at least you'll know that people with actual decision-making powers are aware of the problem.

man in the middle with RSA authentication

[David+Jao]

Because I don't enter my password over the wire, there's no way for it to be intercepted.

What you say is technically true, but ssh1 users are still vulnerable to man in the middle attacks even if RSA user authentication is used.

The attack relies on an incredibly non-obvious flaw in the ssh1 protocol which was fixed in the ssh2 protocol. While an attacker cannot get your passwords using this attack, he can interpose between the client and server and intercept all traffic for that session. The error message saying the server host key has changed is your only clue that such an attack is going on.

You can read about the details in this paper. Unless you are using ssh2, you should be very wary of sudden changes in the server host key, even if you are using RSA authentication, and even if you appear to be connected to the correct server.

A couple of comments on what to do in the Future

[Dolemite_the_Wiz]

1) Book Mark this site. This is the first and best place to go when hacked and is a great source of education in general for victims of hacking.

2) You're right about the FBI. They are very limited in their scope of assistance. The only other victims they would take immediate action with are attacks on other State, local or US governmental sites (ie. State Funded Universities, Governmental offices, etc.)

3) Scan your logs on a regular basis.

4) Check this link out. This is the NSA'a recommendations on how to hammer down Cisco Routers, Windows 2K, XP, and NT4 Operating systems. These should be used as a guide as following all the steps in this manual would turn your machine(s) into bastion servers.

5) Be Prepared for the ISP not talking to or Working with you on this issue. Prodigy, Qwest, and Sprint used to be and in some cases are REALLY bad at this.

Dolemite
______________________

DNS redirecting is not dangerous, complaciancy is.

[mlafranc]

I always ssh to 192.168.1.13, which works just fine, and I don't use proxies, the larger concern is that an important, but a vestigal service got hijacked, namely dhcp.

Don't wait around for law enforcement. When someone lift's your wallet, whom do you call? VISA or the FBI?. Perhaps you need to learn from this hijack, don't go nuts, screaming rape... Fix it!, put in static IP's, don't use a proxy unless you control it, after all, your ISP could be lookin' at your passwords, and cookies etc. Use SSL and SSH, and know what's going on. When something goes boom, fix it.

Of course the FBI won't help, if it's their hack

[RobertB-DC]

File it under P for "Paranoia", but a worst-case scenario is that you stumbled onto the FBI's own hack job.

There could be a whole bundle of subpoenas giving them permission to monitor all communication on Charter's server... or Charter could have simply pointed an FBI agent toward the server room door and given him/her the key. Either way, you have no way of knowing that Big Brother is watching you.

Hopefully, if it's the feds doing the hacking, they're looking for something or someone in particular. Where a hacker might dig through all the transmissions that include 16-digit numbers, the feds may be looking for all requests that include a particular email address. Let's just hope that it's not *your* email address.

Or maybe they've got the digital signature of a prosecutable image -- if it comes across, they check out who it went to and who it came from. You'd better hope you hit the "back" button in time! Of course, you have the 4th amendment to prevent anything they discover from being used against you in court... but that doesn't keep them from using what they find out "off the record" to get "on the record" evidence they can use.

I'm not terribly concerned about the feds (or other gov't agencies) using such a hack to compile a dossier on every Netizen, simply because 1) the signal/noise ratio is too low and 2) the government's built-in inefficiency is the best guarantor of our continued freedom.

Re:use of SSL/SSH

[Amer]

He's serious, of course. He also goes to his bank datacenter and connects his laptop straight to the database every time he wants to check his checking account. The guys at the bank get a bit pissy, though...

volunteer... if you dare.

[The+Tyro]

Folks, this isn't flamebait, it's the truth. Moderators, do your worst.

I love all the "I hate the X&!#@ Cops!!" trolls that inhabit this place; youthful rage directed at "the man"... with no concept of what it would be like to live without them.

Here's my challenge to all those who hate the police so much: If you think you can do their job so much better than they can, go help them out. I'm serious... this is a put-up-or-shut-up challenge. I want you to spend some time in the belly of the beast.

When I was a teen, I didn't like cops... but a funny thing happened to me on the way to my current job, I became a police officer, and it's got to be one of the nastiest jobs in the world. As a doc, I deal with drunks/pimps/bangers/dealers all the time, but thankfully they are usually cuffed and/or exhausted by the time they get to me (and some of them STILL fight... ER workers get assaulted all the time by these types. Fortuntately, the pharmacy is mighter than the sword). I deal with them, but I have a full contigent of burly guys +/- drugs to help me out... taking them on mano-a-mano on the street is a very different scenario. I take care of the bad people, but I also take care of the cops that get hurt fighting them. BE THANKFUL cops are out there... you don't even want to know the kind of sociopaths cops deal with everyday, for pretty low pay. You want to live in a world without cops? Go ahead, but be prepared to do your own dirty work. Think you've got what it takes? You'd better be right, because you're betting you life and the lives of your family on it.

Yes, I can hear the "boo hoo! poor cop! go eat more donuts!" trolls now... save it. You trolls can scoff all you want. Feel free to live in your "no cops" world... sounds great on the surface... but getting your ass kicked by some gangbangers when you're walking home from the LAN party some night might change your tune.

If you've got a beef with the "racist, motherf*cking police" and want to change things, then quit complaining and start working. Learn something about the police... volunteer some of your time (it's called community service; look into it). Go to a reserve police academy and get sworn, do some ride-alongs, or donate some of your 3l337 technical skills to their investigative unit (maybe they need computer forensics help).

Try to make things better instead of indulging in typical slashdot cop-bashing... in addition to the satisfaction of helping out your community, you might be surprised by what you learn.

What have you got to lose? Do it.

Re:volunteer... if you dare.

[Bob+Uhl]

I love the idiot `support the boys in blue' knee-jerk trolls which inhabit just about every place: submissive folly which refuses to recognise the very real problems in the system.

Not a bit of your post addresses the original issues: ineffective law enforcement. The OP never said that there should not be police, IIRC: rather, he gave instances where they didn't serve a useful function, either by commission or omission.

Certainly, law enforcement is by its nature an unpleasant profession. Certainly, there is a need for law enforcement. The original poster, methinks, would agree. If the cops stopped wasting their time on foolishness (e.g. drug, alcohol, weapons and traffic enforcement) and instead focused on real problems (e.g. rape, murder, theft and fraud), I don't believe people would particularly hate them. It's when the police are the willing enforcer-thugs of an authoritarian state that we lose our respect for them--and quite rightly so.

As for your suggestion to volunteer: I refuse to supply my labour in order to free up time for a cop to issue a single other drug or speeding citation. I refuse to supply my labour in order to free up time for a liquor-law sting operation. I refuse to subsidise injustice.

Re:nothing at all

[HBI]

A quick story, if you don't mind.

In 1994 or 1995 I was late with my income taxes. I had never been late before. I was really freaking out - it was after midnight on April 15 and I was just getting done with the forms. I called my dad, woke him up, said "hey, can I use your postal meter to backdate this to April 15?" (he had a Pitney Bowes machine for his business). His reply was: ", how many people file income tax returns? 150 million? How many of them are on time? Obviously not all of them. Do you think the IRS has the resources to track down every person who ever mailed their taxes in on April 16? I can't believe that in 25 years of raising you, you haven't learned that yet". He hung up with a loud click. Suitably abashed, I put a stamp on it and sent it the next morning.

Nothing further heard about it, obviously. The government is so laxidasical about enforcement of regulations and laws that in most cases you can get away with just about anything, unless you generate the wrong kind of attention and they choose to make an example out of you. The trick is to live a quiet life and not draw attention, as the Mafia well knows. The common person believes in law enforcement because of those big cases that they see in the news, and that the district attorneys announce. It isn't because of any reality of assured punishment.

My dad wiped the naivete out of me that day. Maybe his words can help someone else too.

damages caused

[loudici]

how much damage do you think the poster caused to his ISP's brand by crying wolf and claiming the DHCP server was own3d, instead of realizing he had been duped by some windows spyware?

i hope charter does not call the FBI, cause my suspicion is that is way more than 5000$.

You called the FBI for help removing spyware...

[kalanar]

Here's how you remove it:

LOP Removal

Excerpt:

Lop masquerades as an mp3 search engine. It is capable of:

Hijacking your starting page
Adding the Lop Toolbar to Internet Explorer
Adding the Lop Toolbar to Windows Explorer
Causing frequent Windows Explorer & Internet Explorer crashes
Popup advertisements
Adding Lop links to your Bookmarks (Favorites)
Installing software on your PC without your consent
Tracking your site visits and reporting them back to Lop (for advertising purposes)

Now where's my check for the 5 minutes that it took to google for this? Your question of "Why doesn't these agencies handle these kinds of problems?" is ironically answered by your real issue. The FBI is not your local computer repair shop.

I would run a program like Ad-Aware to remove any other spyware that you have installed. And next time that you're "hAx0r3d" go to google and search for "hostnamethatisHax0ringme.com spyware"

Re:up the ladder/phones calls are wrong way to tur

[the+morgawr]

At most companies that I know of the logic works like this:

"If someone took the time to call/write our CEO, they must be really frustrated. This can be one isolated incident, what happened to everyone who DIDN'T call? This is loosing us money!"

This same logic is used by Congressmen. If one person cares enough to write there "must" be other people out there who didn't.

ISP Support

[MyNameIsMok]

hi,
I have had (and am still having) to contact Comcast's technical support for their customers' machines that are infected with Nimbda and are attacking my web server. Ideally, these systems are violating Comcast's (and any ISP's) Acceptable Use Policies.
So, I first was just sending an email for each day's activity to their typical complaint email (abuse [atsign] isp.net) and receiving the automatic response. I figured I could build up a history of reporting before up'ing the ante with my provider.
After a month, I started calling technical support. This basically got me up to tier two (since no one on tier one knew what I was talking about). Later, I got more long distance numbers for internal Comcast contacts, but which, in reality, went no where or to a pre-recorded message.
Next, after two months, I filed a better business bureau (bbb.org) report. _This_ got their attention (when it eventually found the right department). I now have one tech and the tech's boss assigned to my problem. So, now I send my daily (ok, so, I dont send one every day, just one for each day's activity) acitivity to the default abuse line and to the two other people.
Actually, this has been effective. I went from seeing from 500 to 1200 hits a day from Nimbda infected machines to less than 300 a day (on average). There was even a day when it was less than 50, but I found out later that one of their network nodes went down. ... just my 2p ...
sTc

Re:nothing at all

[Doobian+Coedifier]

Um, no. SPD are allowed to wear their uniforms while they are off-duty, providing security or directing traffic for private companies. Have you ever seen a cop standing around in a grocery store late at night? They're paid by the store, not the city.

Driving While Hispanic...true story...

[MsGeek]

My husband is white. Obviously white. However, he shaves his head, and has a goatee. For a time, we also drove around in a 1979 Olds Cutlass, one of the cars Latino gangs favor.

For the time we owned the Cutlass, my husband got pulled over on a regular basis.

The M.O. was the same. Richie gets pulled over. He is instructed to put his hands on his head. The cops eyeball the car, then finally check him out. The blue eyes are a dead giveaway that the person they pulled over does not "fit the profile."

The cops then go into a very embarrassed hemming and hawing dance. "Terribly sorry, sir, continue on your way, have a good one."

I dread to think what would have happened had Richie actually been Latino. We now drive around in a beige Chevy Nova '86 (basically a Toyota Corolla) and he hasn't been pulled over since.

Lousy fuckin LAPD...

If you want to get someone's attention...

[scovetta]

just trade an MP3 and wait for the RIAA to contact the FBI for you!

Re:up the ladder/phones calls are wrong way to tur

[AJWM]

True, snail mail will take a couple of days, but it will get there -- a phone call might not.

If the issue is important enough to you to spend a few bucks on, send it Priority Mail or FedEx or equivalent. Not only will it get there faster (especially FedEx etc), it will be perceived as More Important and less likely to get hung up with a secretary.

Tech Support

[EtherBoo]

This may seem redundant, and it may seem a bit trollish, but seeing it from the TSR (Technical Support Representative) perspective, we really don't care. I mean, think of it like this, you do have a point, and whats happening should be taken care of, but the guy who answers the phone, is going to think you're just paranoid. If he talks to a supervisor, the supervisor is going to tell you that we are currently fine, and there are no hacks going on, unless of course we have been notified, in which case, we say something like, "Sorry for the inconvience, blah blah blah. We are working with our NOC to resolve the isssue, blah blah blah." As sorry as I am to say it, it's not worth it to use to care. We don't get paid enough, and as employees, we are just treated like garbage, at least at the place I work. Basically, the only thing you can do is send an email to Abuse, or just sit and wait, realizing that there isn't anything we can do. Tech support is really just for the end user that doesn't know any better. Anyone that knows anything is going to have a much harder time with support. Sorry.

Hope you didn't give them you're /. user id and pass.

The United States criminal computer laws

[EaglesNest]

The FBI is going to ignore anything unless you allege that you lost $5,000. In the real world, unless you see some fraud on your credit card after theives stole your number off your computer, they probably aren't going to care. Also, if someone uses your computer to attack and damage other computers (or even deface) that might get their attention. Here's the main collection of federal laws that apply to computer crime.

http://www.cybercrime.gov/cclaws.html

And here's the primary criminal law that applies:

18 USC 1030. Fraud and related activity in connection with computers

(a) Whoever--
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y.[(y)] of section 11 of the Atomic Energy Act of 1954 [42 USCS Â 2014(y)], with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains--
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer if the conduct involved an interstate or foreign communication;
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $ 5,000 in any 1-year period;
(5) (A) (i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and
(B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused)--
(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $ 5,000 in value;

Re:Call tech support, but embarrass them too

[InfoVore]

I'm truly amazed that Charter and the FBI blew you off like this.

Don't be. Serious threats get blown-off all the time by law enforcement and business. Sad, but true

You need to read Clifford Stoll's The Cuckoo's Egg. It is an amazing account of how he helped track down the Hanover Hacker (a paid Soviet spy).

The FBI blew him off too, at first. He discovered a hacker was moving through the UC Berkley computer systems at will and using it to crack other systems. He discovered this when he was investigating a 75 cent discrepancy in the departmental billing for computer time. The FBI told him: "don't call us unless it is at least $1 million in damages". Eventually he convinced one agent of the seriousness of the problem (HH was using Berkley and other systems to try to crack DoD systems). Over the course of 3 years, Stoll was instrumental in helping the FBI/CIA and others crack one of the biggest international computer spy rings ever. Stoll was a grad student in astronomy at the time. Great book. Oh and he threw in a really good chocolate chip cookie recipe too.

Get the book, you won't regret it.

I.V.

And now you see....

[MortisUmbra]

The law isn't to protect you and me, it's to protect the people who pay the lawmakers....corporations. I gaurantee you if someone hacked into your PC, stole your credit card, and charged $1,000 to it the FBI wouldn't do sh!t. Factor in as much money as you want for your time in tracking it down. They wouldn't care, because you are not onpayroll at a corporation, so the damage is minimal. Money talks, same as always, and corporations have more of it than an individual. Now if you were a multi-millionaire and actively donated to political funds. I bet it would be different.

Rule #1, citizens dont count

[nurb432]

While you may think im joking i am serious.

None of this stuff is to protect the citizens. unless you are a large corporation or an elected official you are out of luck.

Im surprised they even talked to you at all personally. Even small companies have a hard time getting any help, they are too 'trivial' to bother with.

Not saying i agree, its just reality.. they DONT CARE about 'us'.

Basically...

[theolein]

It means what we already knew: That you as a single person are of no value to your government. This is the real world in which corporations can get tax breaks, get away with multi million dollar fraud, sic the feds onto you for sharing an mp3, sue you for your life's savings and the world in which you are powerless. It's exagerated but this is why communism was so popular in the early 20th century. The commies promised to put the rich fuckers up against the wall and shoot them. (They did this of course, but thereafter they were the one's treating you like shit)

The next time you think big business and globalisation is fine and that those pesky anti-war demonstrators should get locked away, think of this again. ...and perhaps you should check your hosts file in c:\windows\system32\drivers\etc as well ;)

Truth about the IRS

1)If you are/were due a refund there are no penalties. If you owed you would have received a bill for late filing late payment and interest.

2)The Pitney Bose meter is not a valid proof of mailing- for exactly the reason you describe. Only the official rubber date stamp at the post office(and now UPS, and I believe FedEx)

Just eatin donuts?

[NewtonsLaw]

You've got to wonder what all these Federal Justice employees do with their days.

Before I started my low-cost cruise missile project, I emailed the FBI and the relevant defense program, letting them know what I planned to do, offering to take on board any suggestions they might have and making my objectives quite clear.

I got no response at all, save an automated acknowedgement from the FBI.

After the project captured the media's attention and got broadcast around the world, the authorities stated that they weren't happy and that my actions were "unhelpful."

Well excuse me! Don't these people read their damned email? If they have a problem with what I'm doing why didn't they simply contact me in the several weeks between when I notified them and when the media picked up the story?

However, in the wake of the media-coverage and the authorities' apparent dissatisfaction with what I was doing, I sent a follow-up email to the FBI (using the contact form on their website) and the relevant defense agency.

Guess what -- still no response.

Has a stack of Federal donuts fallen over and crushed everyone responsible for dealing with incoming email or something???? Or maybe it's just easier to moan about things than actually do something about them.

Sigh!

Local Law Enforcement is the way.

[revcorrupt]

I would contact your local police department. It may also be a good point to tell them that they might want to search for local Credit Card Fraud problems, because they could be associated with this matter. It appears that it would be much more of a local crime instead of a Federal Offence, simply because it does not have any grand financial loss. Local police departments are not all bad. In fact, most will gladly put you in touch with administrative personnel that are normally knowledgeable with computers. Just remember, Once you involve the legal system, You lose all rights to your equipment!!!
If you contact Law enforcement at all, they can come in and take your equipment with a court order at anytime, and they are generally NOT nice about it! Most of the collection personnel do not even know what the lawsuit is about, and as far as they know, youâ(TM)re a pedophile.
Generally, it is not this way with correct cooperation and procedures, however be prepared for anything.

Good luck.