Slashdot Mirror
Getting Law Enforcement Action for a Large-Scale Hack?
"So I determined that I was connecting to xxx.p5115.tdko.com instead of xxx. I started looking at dns settings. Of course, under Windows, the default is to accept the default dns domain specified by a DHCP server for the PC's ethernet connection. There are settings to disable this, but I hadn't thought about it until now. It turns out, Charter Communications' DHCP servers were infiltrated and were providing p5115.tdko.com as the 'Connection-specific DNS suffix', causing all non-hardened Windows (whatever that means in a Windows context) machines to get lookups from a hijacked subdomain DNS server which simply responded to every query with a set of 3 addresses (66.220.17.45, 66.220.17.46, 66.220.17.47).
On these IPs were some phantom services. There were proxying web servers (presumably collecting cookies and username/password combos), as well as an ssh server where the perpetrators were most likely hoping people would simply say 'yes' to the key differences and enter in their username/password.
Has anyone else seen this type of attack before? Pretty sneaky. I bet it would slip by most people that don't use anything but a web browser. This makes me want to step up my plans to put an OpenBSD firewall in place and allow it as little trust of the outside world as possible, providing more trusted DNS/DHCP services to the hosts on my network. It would be nicer to be able to boot the thing self-contained-and-configured off read-only media and have no writable access to anything from the operating system to totally prevent break-in/tampering.
With respect to the law enforcement issues. I first called Charter, and after 10 minutes on hold was told to submit a report to their abuse account. I asked the tech support rep if they really wanted me submitting the incident report through a hijacked proxying web server. I hadn't yet reconfigured my Windows systems because I wanted to collect as much information as possible while the attack was still live. The long and short from the tech support rep was they'd look at it, but couldn't do anything with respect to responding to me about it unless I submitted that report.
I moved on to calling the FBI. The after hours person had no idea what evidence collection procedures I should follow, nor if their office would even be interested in investigation. I was told to call back during business hours. I did a little searching and found the National Infrastructure Protection Center. I gave them a ring and was asked to fill out an incident report. I was told it would be reviewed in the NOC quickly and a decision made about further investigation. The rep answering the phone said to collect any and all information I could think of regarding the attack. I got a response later this morning that their NOC personnel had evaluated the report and decided not to investigate further.
I called the FBI back this morning, only to be told they generally didn't investigate these types of crimes for individuals, but usually only for companies that had lost at least a couple thousand dollars. To inflate my ego a bit, I asked if I could count my time cleaning up/investigating as a loss of this magnitude and was told no, that it would have to be a financial loss like is associated with internet credit card fraud. Given how Kevin Mitnick was convicted and sentenced on 'evidence' that included employee time for investigation and cleanup, why is this any different for me?
With respect to getting some action on any future attacks - what should I do? Who should I call? I'm not a h/\x0r, and I have reasonable investigation skills, but aren't there professionals doing this to uphold the law? What's the point of all those federal laws anyway? Monitoring of third party communications, without the consent of either party; unauthorized access to Charter's systems - the list can go on a lot further depending on the activity happening at those proxying servers. Are these laws just tools to oppress unpopular computer criminals but just plain not enforced most of the time?
I found this situation and particular method of attack interesting... hopefully this was fun to read. If you have suggestions for what I should do in the future to handle attacks, I'd love to hear about it!"
It sucks that the law-enforcement agencies won't help private individuals; however, since it's a company that's being hacked, they should be able to put their resources on it.
I can't say that I don't give a fuck. I've just run out of fuck to give.
Which will do two things:
/. effect will wipe it out.
1. you will get realtime help. OK, there are better ways but this is a _big_ audience you have here.
2. post a link to the offending server, and the
Sig for sale or rent. One previous user. Inquire within.
It has been my experience that unless there is some large monetary losses involved, then you're going to have a hard time getting law enforcement to do much of anything. Generally, for simple break-ins, they expect you to handle it yourself (typically contacting the ISP of the hacker).
When all else fails, run.
I bet an attack of this nature turns up an absolute shedload of valuable, confidential information, and I bet there are plenty of pissant ISPs in the world with poorly configured DNS servers too. How often has this kind of attack been found? I'm suddenly real glad I run my own DNS server behind my firewall.
"No financial losses" my ass. Lets see what Visa's customers have to say about that when the logins for half a million credit card e-banking systems get compromised. Hmm, almost makes me wish I could detect a similar attack so we could see what the UK police would do. "Intarweb, sir? Nah, not on our patch, you seee...."
You win again, gravity!
You called Chater tech support?
It's a wonder they didn't tell you to reboot your modem, reboot your PC and verify that the network card is listed in Device Manager.
That's about all I've ever gotten out of them.
Lookup the IP registrations, find the owners' locale, and then contact that local police department. Tell them a federal crime (felony) is being perpetrated on a grand scale, and that you need to speak with someone with extensive computer/internet/technical knowledge to report all the details.
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
The computer police too. I've been mugged, robbed, and assulted multiple times in my life, and the police were never interested in helping. My car was just broken into, and I had $4000 in computer equipment stolen out of it. I called to file a report and have them come down and dust for prints, and they said that they can't send anyone down.
Of course, I've been stopped and harrassed by cops on a number of occasions. My brother gave me a small cut in a fight that required stitches, and they investigated my parents for child abuse. I've been accused of possessing marijuana for having a tomato stem in the cup holder of my car. I have to drive through a police checkpoint every day on the way back from work on highway 15 in San Diego. After I hit a spare tire that flew off the back of a car in front of me, the police officer wanted to write me a ticket because he was upset that he had to drive out a take a report.
I'm a law abiding citizen without a mark on my record, and I can still say: fuck the police
LS
There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
The book Cuckoo's Egg by Cliff Stoll deals with this issue specifically... Someone kept hacking the author's computers at Lawrence Berkeley National Labs (coincidentally, that makes twice in two days that I've mentioned a National Lab on slashdot), and he has to convince the authorities that it is truly worthy of investigation... The FBI points him to the CIA, the CIA points him to the FBI, so a lot of the story deals with the social engineering required to get the authorities to actually listen. It's really a great read, and you can find used copies on Amazon for a penny.
Slashdot's first reaction to VMware
They are there to protect businesses and the government itself.
This is a disturbing trend in the United States of Lawyers and short of a revolution there is not much that can be done to reverse it. Just look at the article from yesterday where Oral Hatch wants to exclude copyright owners from anti-hacking laws so they can destroy a personal computer. It's sad and scary.
What the USL needs is a new Bill of Rights that protects people from corporations.
I can't help you with getting the attention of law enforcement or the service provider, but when all is said and done, I bet Peter Neuman at the ACM RISKS Digest would love to publish your story. The RISKS readers would be interested in the original hijacking, and just as interested in the lackadaisical response by those who could do something about it. The risks posed by both problems are the forum's reason for being.
I say this only partially in jest, but maybe try contacting the dept of homeland defense, or GWB himself or something. Call it terrorism, they'll be shut down faster than you can say "foo".
Seriously though, with the increase in the gov't involvment and crackdown on cyber terrorism (or they say there is) isn't this a prime candidate?
That said, it's scary that the ISP doesn't seem to give a fark about this. If I was in charge of their security I'd be fixing this as quickly as possible, not letting my company's customers continue to use a compromised service. Wouldn't it be considered negligence to allow your customers to continue using a server you know to be compromised (ie: not changing the DHCP server back, or simply shutting down all access)? Personally I'd much rather loose my net access for a bit while this is cleaned up than my ISP knowingly let me proxy through sniffers and password grabbers.....
Of course, that only affects those who use passwords for SSH. I generally prefer RSA user authentication. One of the reasons is laziness - I only have to enter my key's password once, and it authenticates to SSH servers for me. And, of course, there's security. Because I don't enter my password over the wire, there's no way for it to be intercepted.
I can't say that I don't give a fuck. I've just run out of fuck to give.
*They* will certainly care about a hijacked proxy achiving account numbers and sniffing passwords. Now, when they call your ISP - I bet they would take immediate notice.
-- your Web browser is Ronald Reagan
Have you tried running Spybot or Adaware lately? If you try going to p5115.tdko.com, you'll find it's a website for lop.com. Which, incidentally, is an infamous purveyer of spyware:
http://www.spywareinfo.com/articles/lop/
"People that quote themselves in their signatures bother me" - athakur999
I have always been surprised by how uninterested cops are in investigating some crimes. I once had a $500 camcorder stolen while I was packing my bags into a cab right outside a hotel. The guy who took it and ran was caught on the hotel security camera, but the cops didn't even bother to come and take a look at it. They were like, "well, unless they have a full name tag on the video, it's not worth our time." I kind of understand that $500 is not worth doing facial recognition checking against some database, but you would think they would at least want a snapshot of the guys face to store in some file cabinet in case he commits a more serious crime to retrace his steps.
Kind of reminds me of Guillian's (NYC mayor) statement that letting people get away with small crimes usually leads to them committing major ones. Also reminds me of the Washington snipper case-- had the cops cared more about documenting and investigating their convenience store robbery, they would have probably been caught a lot sooner.
Do we really have so much crime in this country that the city cops do not have the resources to care about $10000 crime?
I'm truly amazed that Charter and the FBI blew you off like this.
You've already tried going through channels so the next step is embarrassing them into doing something about it - notifying news media outlets and posting to slashdot are probably all you can do though. If Charter has any specific usenet groups like @Home used to have, I'd post this info there as well.
Best thing would be to get this on TV as then they can't ignore it. Charter is based in St. Louis and I'm sure one of the consumer affairs reporters at one of the TV stations in town would be interested in finding out that the major ISP in town is letting their users' passwords and other info get leeched.
% whois 66.220.17.46
Hurricane Electric HURRICANE-3 (NET-66-220-0-0-1)
66.220.0.0 - 66.220.31.255
C2 Media Ltd HURRICANE-CE1076-331 (NET-66-220-17-0-1)
66.220.17.0 - 66.220.17.255
This is the infamous lop.com customized ad/spyware, see lop.com and wrn.net. The thing with the domain suffix is a trick with 127.0.0.1. This type of software typically installs a search toolbar in IE and they seem to come in a multitude of different versions. It's the worst of breed.
C2 Media claims that people click through an EULA and know what they're installing. I know all this because my Dad had a "weird extra toolbar and popups to go online gambling". He found the running binairy, I looked through a hexdump of it and there was their EULA alright. But he never saw it. This critterware can even get installed by merely mousing over a banner.
Don't believe me? Google for "lop.com, adware, toolbar"...
Here is the info on the addresses you provided.
Lop.com
Unit 12
571 Finchley Road
Hampstead
London, NW3 7BN
UK
Domain name: LOP.COM
Administrative Contact:
Live, Media webmaster@lop.com
Unit 12
571 Finchley Road
Hampstead
London, NW3 7BN
UK
+ 44 7817 130 743
Technical Contact:
Live, Media webmaster@lop.com
Unit 12
571 Finchley Road
Hampstead
London, NW3 7BN
UK
+ 44 7817 130 743
Registrar of Record: TUCOWS, INC.
Record last updated on 12-Mar-2003.
Record expires on 06-Oct-2005.
Record Created on 07-Oct-1998.
Domain servers in listed order:
NS1.LOP.COM 66.220.17.5
NS2.LOP.COM 66.220.17.5
So what does it take to get the FBI to investigate? There are about 4 different things the bad guys could do:
The problem is you don't fit into any of these categories for the FBI. Suppose you did come up with the required damages. Then the FBI have to choose whether to pursue your case or another. If someone else is causing more problems, they'll investigate them instead of your case. If you don't have any idea whose doing the hacking, then again they'll probably go after someone who they think is easier to catch. Last, they'll try to decide whether or not they think the case will lead to an easy conviction. If not, again your screwed.
Basically it's a matter of priorities, and this doesn't sound like a large enough hack to be more than the blip of a Cessena at an international airport full of 747's.
It sucks, but that's how it is. What would be good is if hacking resulted in a fine, or some other misdemener. Then convictions would be easy, and the bad guys would quickly learn crime doesn't pay in the small case, and the big cases result in the FBI actually going after them.
This "turbo" link gives advice better than most, but it's still not right. I have read so many times on slashdot posters' advice to work your way up the chain of command in a corporation. That is inefficient and won't get you results.
The turbo article says, "phone the CEO's office". That's better, but a phone call is too easy to blow off and it easily gets lost in the shuffle.
From experience within corporations at the highest levels, here is what works best. When you get blown off by lower level tech support, immediately write a letter to the highest people in the corporate food chain, its Board members or CEO. What typically happens is the letter will be passed down the line to the High Level Person who can handle it (some VP, for example) with instructions scrawled on the letter using a pen by the CEO which says something like, "Look into this, handle it, and let me know what happened."
This is real life, people. Now you've got VPs at the highest level running around trying to solve your problem, who are required to report back quickly to a quixotic boss who has the power to fire them. This process is a model of efficiency - you quickly wrote a letter; the CEO very quickly scanned it, acknowledged the problem and quickly prescribed that a solution be found - and now the engines of the corporation are at work scrambling to solve your problem.
Doing it in writing makes it easier for the CEO to pass the responsibility on quickly. All he has to do is take a few seconds to read your letter, and a few seconds to delegate the solving of your problem. He doesn't even have to try to re-articulate what your problem is through phone calls and garbled telephone tag -- you've done this for him already.
So, this turbo approach gets it only half right. Yes, they're right - working your way up the ladder doesn't work, only down the ladder works. But, you've got to do it in writing, and quickly. That's the way to get fast results.
The government is worthless in this. They're reactionary, not preventative, and even then will only give you the time of day if there's hard money or data loss involved.
! %2 0NET-66-220-17-0-1
Charter was woefully unconcerned, and as their customer, I'd raise hell, escalating up their corporate food chain.
To get at the actual attacker, go the next rung, look at who owns/controls the IPs that you're being redirected to.
http://ws.arin.net/cgi-bin/whois.pl?queryinput=
CustName: C2 Media Ltd
Address: P.O. Box 1113
City: Shalimar
StateProv: FL
PostalCode: 32579
Country: US
who are in turn a customer of Hurricane Electric
TechHandle: ZH17-ARIN
TechName: Hurricane Electric
TechPhone: +1-510-580-4100
TechEmail: hostmaster@he.net
OrgTechHandle: ZH17-ARIN
OrgTechName: Hurricane Electric
OrgTechPhone: +1-510-580-4100
OrgTechEmail: hostmaster@he.net
Go to Hurricane, and ask them why they're letting this go on. They'll be more concerned. You've indemnified Charter in your service agreement, most likely, and can't sue them. Hurricane has no such protection from you and will, ironically, be more responsive than your own ISP.
I have 2 things that happened where the 'feds' were involved, and I can say from experience that this is exactly the response you will get from the feds for trying to do the right thing.
I have a dialup inet connection at home. Sux, but that's my only viable option at the moment. I stuck a 6.1 or 6.2 Redhat box on the modem and set it up as a firewall/default gateway for the other 3 (Windows) pc's in the house. The kids have to play online games, etc, ya know. I stupidly left the ftp server running for some reason. Worked flawlessly for 2 years. One day I came home and the box had crapped out in the midst of booting with a strange error. Finally got it up and things didn't even look right. Yup, I had finally had my first experience at being rootkit'd. Fortunately they had used a screwed up rootkit and it didn't like something about my system or the OS and it crashed on reboot.
I freaked out and called the FBI right away in case they wanted the box to 'collect forensic evidence' or something. The conversation went like this, and the money figure is the one he used:
"Hello, FBI"
"Hi, I got my computer system hacked into. What do we do now?"
"Uh, did you lose at least $50,000.00?"
"No..."
"Sorry, we could care less then. Goodbye"
My other story, and I was more upset on it, happened when I worked at the courthouse when the 'dad's'(or mom's) paid the support there so the court could track the payments, then we would deposit it and write our own check to the 'mom's' (or dad's) and mail them out. A person we sent a check to lived in an apartment, but had moved and hadn't given us his/her new address. Someone else was now living in the apartment where we sent the check. To top it off, the post office had mis-delivered the check to a different apartment in the complex. (I know, it is confusing) Anyway, the person who got the check didn't know that the person it was made out to had moved. This person, knowing it was a check for a substantial amount of money, went to the address on the envelope and told the person who (now) lived there that they would only hand over the check for a certain percentage of the amount!!! This person said she would think about it and immediately called us. At this point we have the perfect 'sting' waiting to happen, and all the authorities have to do is be present when the blackmailer returns to settle the deal! So I called the FBI and they said they didn't care, and I should call the postal inspectors office. So I did. This guy said if there wasn't 'thousands and thousands' of dollars at stake he wasn't interested in the least.
So here we have a real crime happening and no one cares, but when some kid goes out and knocks over a few mailboxes they throw the book at em. Those two events alone were more than enough to tell me to NEVER trust the federal gov't nor rely on them to do the right thing where individuals citizens are involved. and this was all before that moron Ashcroft got in charge. (who is unfortunatelly from my state, and boy were we glad to get rid if him, or so we thought!)
(Stolen sig) Remember: it's a "Microsoft virus", not an "email virus", a "Microsoft worm", not a "computer worm
Send it to charter. List at the end the OTHER people to ewhom you are sending it, and you'll need to send them all snail mail, with the two (yes, two- one to the folks you spoke to, one addressed to the CEO, which will be read by a secretary and passed on to someone whose job it is to keep these things quiet) to Charter certified mail, return receipt requested. Those others will go to:
Your US congressional reps- both houses, whether you voted for them or not; (i'm assuming you're in the US, if not go for the nearest equivalent of these)
The Better Business Bureau;
the state attorney general's office
the FBI office that you contacted;
The FCC;
Anyone and Everyone whom you think might be interested, NOT counting the media. Why not? Because you want to be able to prove that you gave them a chance to correct the problem before you take it further. You are certainly allowed to suggest that it might be possible, but mention first that you need a written response from them telling what they plan to do about this (tell them what you want this to be), and mention that you will seek the assistance of a lawyer if this clear threat to you as their customer is not immediately remedied.
Keep a copy of the letter. Offer to send supporting evidence AS SOON AS they have officially begun their remedial actions and you have received initial results. (or you may wish to send it sooner, at least the info that you feel comfortable having random secretaries seeing.)
IANAL, but I have good reason to recommend this method. Incidentally, it works for a LOT of customer issues, and you have to be sure to send out copies of follow-up letters to the same set of people. Make sure to document hours spent working on it, and all the people whom you've spoken with and when. Media is for after their failure to remedy the matter after 1 letter, just add it to the CC list. You might try writing the second letters as two- one to the company, one to the attorney general or congressional folks, and the other to the company, and include copies of both in the envelope to the company. Their failure to help is against entirely different laws. Use the words "acted in bad faith."
be persistent. It helps.
"I'd say 'Have a good time,' but arson is still illegal.
A quick story, if you don't mind.
In 1994 or 1995 I was late with my income taxes. I had never been late before. I was really freaking out - it was after midnight on April 15 and I was just getting done with the forms. I called my dad, woke him up, said "hey, can I use your postal meter to backdate this to April 15?" (he had a Pitney Bowes machine for his business). His reply was: ", how many people file income tax returns? 150 million? How many of them are on time? Obviously not all of them. Do you think the IRS has the resources to track down every person who ever mailed their taxes in on April 16? I can't believe that in 25 years of raising you, you haven't learned that yet". He hung up with a loud click. Suitably abashed, I put a stamp on it and sent it the next morning.
Nothing further heard about it, obviously. The government is so laxidasical about enforcement of regulations and laws that in most cases you can get away with just about anything, unless you generate the wrong kind of attention and they choose to make an example out of you. The trick is to live a quiet life and not draw attention, as the Mafia well knows. The common person believes in law enforcement because of those big cases that they see in the news, and that the district attorneys announce. It isn't because of any reality of assured punishment.
My dad wiped the naivete out of me that day. Maybe his words can help someone else too.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Actually, it was not spyware.
I queried the dhcp server from a unix-alike box and got the same response back from it for the connection's dns domain as I did under windows. The DHCP server was handing it out for sure.
Of the bad ones, Lop (which you have) is far and away the most difficult to get rid of. It has many separate components, a Browser Helper Object, an executable launched at startup via an entry that's in your registry's HKLM/Software/Microsoft/Windows/CurrentVersion/Run key, (and possibly in RunOnce and/or RunServices, plus in the same path under each user as well), and others. I think it may even replace your WSOCK32.DLL but I don't remember if Lop is that one. If it is, it certainly would explain why your DNS went haywire. The deal with Lop is that all these components watch over each other. If you delete or disable one component, the others silently patch the hole next chance they get.
To answer your question, I've never heard of it affecting a firewall/router. (I kind of assume you're running a Linksys, but regardless of the make & model make sure you don't still have the default password on it.) If Lop patched your winsock layer, the Windows box would be completely unable to tell you the truth about DHCP or DNS.
It's not quite as bad as kudzu, but it's definitely not something you want.
Anyway, I've found Spybot S&D to be a most excellent tool with frequent and current updates. It's the first thing I run every time I visit friends or family and they want me to look at their computers. It's also free, (but donations are welcome.) I switched from the paid version of AdAware+ after they failed to release V 6.0 on time. I do wish that the anti-virus vendors would block some of this crap.
Other things I run to defend my Microsoft equipment from this stuff?
John