Weird message from someone named "NIPC"
Cypherpunks, I've been getting anywhere from 10 to 30 "SirCam" worm messages a day. The volume is now declining. Most have attached files containing fragments of Microsoft Word documents, apparently extracted from the disk drive of the sender. Most are the usual garbage people write to each other, but some of the ones from corporations have been interesting. And this one, assuming it is real, seems to have orginated from within some department of the government called "NIPC." It must be bogus.This does not seem plausible, that they would send me something, so I expect a hoax. The attached filed, with the message, is 926 K, so I'm only enclosing a few tantalizing sections. I really cannot imagine why I am getting these SirCam messages from some government agency named "NIPC," unless for some reason my e-mail address is in their address book. How could that happen? (BTW, many of the SirCam messages have clock dates which are wrong. This one is incorrectly dated "8/24/01".) At 2:39 PM -0400 8/24/01, NIPC Intern42 wrote: ------017B5BE9_Outlook_Express_message_boundary Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: message text Hi! How are you=3F I send you this file in order to have your advice See you later=2E Thanks ------017B5BE9_Outlook_Express_message_boundary Content-Type: application/mixed; name="DC TOOLZ.zip.bat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="DC TOOLZ.zip.bat" The NIPC and FedCIRC have recently received information on attempts to locate, obtain control of and plant new malicious code known as "W32-Leaves.worm" on computers previously infected with the SubSeven Trojan. The default ports for SubSeven to listen for network traffic are 16959/tcp and 27374/tcp, though the numbers can be changed. Full descriptions and removal instructions of a number of SubSeven variants can be found at various anti-virus firm Web sites, including the following: A computer security unit within the U.S. Federal Bureau of Investigation has detected a series of intrusions into U.S. government networks under an investigation code named Moonlight Maze, and the intrusions appear to have originated from Russia, an FBI official told Congress this week. A spokesman for the Russian embassy here today quoted the head of the press service for the Russian foreign intelligence service, Nikita Rabusov, as saying the Russian special services have "no relation whatsoever" to the theft of information from computer networks of the U.S. federal agencies. "American specialists have failed to establish from where this intrusion originated," the embassy official quoted Rabusov as saying in an interview with the Russian news agency Itar-Tass. "They only indicated that it comes from a software company said to be reverse-engineering the products of leading American software companies. Russian special services are not so stupid to undertake such an operation, in case the necessity arises, directly from Moscow." Please report computer crime to your local FBI office (www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit also can be reached at (202) 323-3204/3205/3206, or nipc.watch@fbi.gov. References to ECONCOM are to be deleted ASAP from all departmental systems. SLAM DUNK cover to be vetted by NIPC for release to journalists. Oakland and Monterey offices to coordinate. Michael Vatis, deputy assistant director and chief of the Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC) created February 26, 1998, told the Senate Judiciary Subcommittee on Terrorism, Technology and Government Information June 29 that 'crypto anarchists" see Washington's computers as "the final exam, the ultimate challenge, the enemy which must be destroyed." Agents are advised to seek out means of forcing these persons out of the public debate. Internal Memorandum. The FRENZY Conference was a fantastic showing of our capabilities for covert entry into target computers. PDs across the country are asking how they can get their own CARNIVORE systems. Here is one such request: "We've bought so many necessary items from vendors who attended the last FRENZY Conference ... the Conference was definitely one of the best I've attended. I was particularly impressed by how easy the Carnivore system was to set up." Rick Smithman, Criminalistics Bureau Administrator, Lodi Police Department With this thought in mind, The Laissez Faire City Times interviewed Ed Hertzog, editor of The Free Associator, an interesting e-zine that wants to facilitate Digital Anarchy. This interview is a little mirror of an underground, libertarian world, whose landmarks and standard-bearers are John Perry Barlow and Neal Stephenson, Nicholas Negroponte and Ayn Rand, Louis Rossetto and David Friedman. NIPC has been tasked to assist in the take-down of a high-profile hacker terrorist at the DefCon conference next week in Las Vegas. The take-down is being planned for maximal public impact, as per AG Ashcroft's memo of 24JUN01. Full assistance will be provided by NIPC. Plain clothes agents will be at the conference to render assistance.
There seem to be three explanations. 1. Tim is having some fun with us. It would be easy for him to do so, and NIPC (an FBI subagency) has been in the news today, with a WSJ article this morning posted to the list and a Senate hearing this afternoon. Tim's written similar things before and posted them straight-faced: http://www.politechbot.com/p-01332.html 2. Someone is spoofing NIPC email and having fun with Tim. 3. This really did originate from within NIPC and is a major cypherpunk intelligence find. The WSJ article (http://www.politechbot.com/p-02306.html) says NIPC has been hit by Sircam, which scans hard drives for email addresses in documents and mail archives, according to descriptions I've read. Reports say Sircam emails working documents (in My Documents or whatnot folder) and this could have happened. -Declan On Wed, Jul 25, 2001 at 06:42:34PM -0700, Tim May wrote:
Cypherpunks,
I've been getting anywhere from 10 to 30 "SirCam" worm messages a day. The volume is now declining. Most have attached files containing fragments of Microsoft Word documents, apparently extracted from the disk drive of the sender. Most are the usual garbage people write to each other, but some of the ones from corporations have been interesting. And this one, assuming it is real, seems to have orginated from within some department of the government called "NIPC."
It must be bogus.This does not seem plausible, that they would send me something, so I expect a hoax.
The attached filed, with the message, is 926 K, so I'm only enclosing a few tantalizing sections.
I really cannot imagine why I am getting these SirCam messages from some government agency named "NIPC," unless for some reason my e-mail address is in their address book. How could that happen?
(BTW, many of the SirCam messages have clock dates which are wrong. This one is incorrectly dated "8/24/01".)
At 2:39 PM -0400 8/24/01, NIPC Intern42 wrote: ------017B5BE9_Outlook_Express_message_boundary Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: message text
Hi! How are you=3F
I send you this file in order to have your advice
See you later=2E Thanks
------017B5BE9_Outlook_Express_message_boundary Content-Type: application/mixed; name="DC TOOLZ.zip.bat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="DC TOOLZ.zip.bat"
The NIPC and FedCIRC have recently received information on attempts to locate, obtain control of and plant new malicious code known as "W32-Leaves.worm" on computers previously infected with the SubSeven Trojan.
The default ports for SubSeven to listen for network traffic are 16959/tcp and 27374/tcp, though the numbers can be changed. Full descriptions and removal instructions of a number of SubSeven variants can be found at various anti-virus firm Web sites, including the following:
A computer security unit within the U.S. Federal Bureau of Investigation has detected a series of intrusions into U.S. government networks under an investigation code named Moonlight Maze, and the intrusions appear to have originated from Russia, an FBI official told Congress this week. A spokesman for the Russian embassy here today quoted the head of the press service for the Russian foreign intelligence service, Nikita Rabusov, as saying the Russian special services have "no relation whatsoever" to the theft of information from computer networks of the U.S. federal agencies.
"American specialists have failed to establish from where this intrusion originated," the embassy official quoted Rabusov as saying in an interview with the Russian news agency Itar-Tass. "They only indicated that it comes from a software company said to be reverse-engineering the products of leading American software companies. Russian special services are not so stupid to undertake such an operation, in case the necessity arises, directly from Moscow."
Please report computer crime to your local FBI office (www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit also can be reached at (202) 323-3204/3205/3206, or nipc.watch@fbi.gov.
References to ECONCOM are to be deleted ASAP from all departmental systems. SLAM DUNK cover to be vetted by NIPC for release to journalists. Oakland and Monterey offices to coordinate.
Michael Vatis, deputy assistant director and chief of the Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC) created February 26, 1998, told the Senate Judiciary Subcommittee on Terrorism, Technology and Government Information June 29 that 'crypto anarchists" see Washington's computers as "the final exam, the ultimate challenge, the enemy which must be destroyed." Agents are advised to seek out means of forcing these persons out of the public debate.
Internal Memorandum. The FRENZY Conference was a fantastic showing of our capabilities for covert entry into target computers. PDs across the country are asking how they can get their own CARNIVORE systems. Here is one such request:
"We've bought so many necessary items from vendors who attended the last FRENZY Conference ... the Conference was definitely one of the best I've attended. I was particularly impressed by how easy the Carnivore system was to set up."
Rick Smithman, Criminalistics Bureau Administrator, Lodi Police Department
With this thought in mind, The Laissez Faire City Times interviewed Ed Hertzog, editor of The Free Associator, an interesting e-zine that wants to facilitate Digital Anarchy. This interview is a little mirror of an underground, libertarian world, whose landmarks and standard-bearers are John Perry Barlow and Neal Stephenson, Nicholas Negroponte and Ayn Rand, Louis Rossetto and David Friedman.
NIPC has been tasked to assist in the take-down of a high-profile hacker terrorist at the DefCon conference next week in Las Vegas. The take-down is being planned for maximal public impact, as per AG Ashcroft's memo of 24JUN01. Full assistance will be provided by NIPC. Plain clothes agents will be at the conference to render assistance.
Now that I've actually read through some of what Tim posted, I think it's clear what it is. Hint: Vatis wasn't in charge of NIPC by June 29, and I don't recall any such hearing, and his reported comments are a little, well, unusual. --Declan On Thu, Jul 26, 2001 at 01:15:21AM -0400, Declan McCullagh wrote:
There seem to be three explanations.
1. Tim is having some fun with us. It would be easy for him to do so, and NIPC (an FBI subagency) has been in the news today, with a WSJ article this morning posted to the list and a Senate hearing this afternoon. Tim's written similar things before and posted them straight-faced: http://www.politechbot.com/p-01332.html
2. Someone is spoofing NIPC email and having fun with Tim.
3. This really did originate from within NIPC and is a major cypherpunk intelligence find. The WSJ article (http://www.politechbot.com/p-02306.html) says NIPC has been hit by Sircam, which scans hard drives for email addresses in documents and mail archives, according to descriptions I've read. Reports say Sircam emails working documents (in My Documents or whatnot folder) and this could have happened.
-Declan
On Wed, Jul 25, 2001 at 06:42:34PM -0700, Tim May wrote:
Cypherpunks,
I've been getting anywhere from 10 to 30 "SirCam" worm messages a day. The volume is now declining. Most have attached files containing fragments of Microsoft Word documents, apparently extracted from the disk drive of the sender. Most are the usual garbage people write to each other, but some of the ones from corporations have been interesting. And this one, assuming it is real, seems to have orginated from within some department of the government called "NIPC."
It must be bogus.This does not seem plausible, that they would send me something, so I expect a hoax.
The attached filed, with the message, is 926 K, so I'm only enclosing a few tantalizing sections.
I really cannot imagine why I am getting these SirCam messages from some government agency named "NIPC," unless for some reason my e-mail address is in their address book. How could that happen?
(BTW, many of the SirCam messages have clock dates which are wrong. This one is incorrectly dated "8/24/01".)
At 2:39 PM -0400 8/24/01, NIPC Intern42 wrote: ------017B5BE9_Outlook_Express_message_boundary Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: message text
Hi! How are you=3F
I send you this file in order to have your advice
See you later=2E Thanks
------017B5BE9_Outlook_Express_message_boundary Content-Type: application/mixed; name="DC TOOLZ.zip.bat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="DC TOOLZ.zip.bat"
The NIPC and FedCIRC have recently received information on attempts to locate, obtain control of and plant new malicious code known as "W32-Leaves.worm" on computers previously infected with the SubSeven Trojan.
The default ports for SubSeven to listen for network traffic are 16959/tcp and 27374/tcp, though the numbers can be changed. Full descriptions and removal instructions of a number of SubSeven variants can be found at various anti-virus firm Web sites, including the following:
A computer security unit within the U.S. Federal Bureau of Investigation has detected a series of intrusions into U.S. government networks under an investigation code named Moonlight Maze, and the intrusions appear to have originated from Russia, an FBI official told Congress this week. A spokesman for the Russian embassy here today quoted the head of the press service for the Russian foreign intelligence service, Nikita Rabusov, as saying the Russian special services have "no relation whatsoever" to the theft of information from computer networks of the U.S. federal agencies.
"American specialists have failed to establish from where this intrusion originated," the embassy official quoted Rabusov as saying in an interview with the Russian news agency Itar-Tass. "They only indicated that it comes from a software company said to be reverse-engineering the products of leading American software companies. Russian special services are not so stupid to undertake such an operation, in case the necessity arises, directly from Moscow."
Please report computer crime to your local FBI office (www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit also can be reached at (202) 323-3204/3205/3206, or nipc.watch@fbi.gov.
References to ECONCOM are to be deleted ASAP from all departmental systems. SLAM DUNK cover to be vetted by NIPC for release to journalists. Oakland and Monterey offices to coordinate.
Michael Vatis, deputy assistant director and chief of the Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC) created February 26, 1998, told the Senate Judiciary Subcommittee on Terrorism, Technology and Government Information June 29 that 'crypto anarchists" see Washington's computers as "the final exam, the ultimate challenge, the enemy which must be destroyed." Agents are advised to seek out means of forcing these persons out of the public debate.
Internal Memorandum. The FRENZY Conference was a fantastic showing of our capabilities for covert entry into target computers. PDs across the country are asking how they can get their own CARNIVORE systems. Here is one such request:
"We've bought so many necessary items from vendors who attended the last FRENZY Conference ... the Conference was definitely one of the best I've attended. I was particularly impressed by how easy the Carnivore system was to set up."
Rick Smithman, Criminalistics Bureau Administrator, Lodi Police Department
With this thought in mind, The Laissez Faire City Times interviewed Ed Hertzog, editor of The Free Associator, an interesting e-zine that wants to facilitate Digital Anarchy. This interview is a little mirror of an underground, libertarian world, whose landmarks and standard-bearers are John Perry Barlow and Neal Stephenson, Nicholas Negroponte and Ayn Rand, Louis Rossetto and David Friedman.
NIPC has been tasked to assist in the take-down of a high-profile hacker terrorist at the DefCon conference next week in Las Vegas. The take-down is being planned for maximal public impact, as per AG Ashcroft's memo of 24JUN01. Full assistance will be provided by NIPC. Plain clothes agents will be at the conference to render assistance.
Declan McCullagh wrote:
Now that I've actually read through some of what Tim posted, I think it's clear what it is. Hint: Vatis wasn't in charge of NIPC by June 29, and I don't recall any such hearing, and his reported comments are a little, well, unusual. --Declan
I thought they were supposed to keep classified and unclassified material on separate machines and networks. The information in this document would presumably be classified, and the machine it was on shouldn't have had internet access. The rules are there to prevent just this sort of thing. Of course, as we saw in the case of John Deutch, these rules are broken.
On Thu, 26 Jul 2001, Declan McCullagh wrote:
Now that I've actually read through some of what Tim posted, I think it's clear what it is. Hint: Vatis wasn't in charge of NIPC by June 29, and I don't recall any such hearing, and his reported comments are a little, well, unusual. --Declan
"A mind-fuck is a terrible thing to waste." alan@ctrl-alt-del.com | Note to AOL users: for a quick shortcut to reply Alan Olsen | to my mail, just hit the ctrl, alt and del keys. "All power is derived from the barrel of a gnu." - Mao Tse Stallman
At 01:15 AM 7/26/01 -0400, Declan McCullagh wrote:
There seem to be three explanations.
Yes. But we can assume that TM knows who NIPC are. (And vice-versa :-) Ergo, this is Tim's humor. But it almost caught me too.
1. Tim is having some fun with us. It would be easy for him to do so, and NIPC (an FBI subagency) has been in the news today, with a WSJ article this morning posted to the list and a Senate hearing this afternoon. Tim's written similar things before and posted them straight-faced: http://www.politechbot.com/p-01332.html
2. Someone is spoofing NIPC email and having fun with Tim.
3. This really did originate from within NIPC and is a major cypherpunk intelligence find. The WSJ article (http://www.politechbot.com/p-02306.html) says NIPC has been hit by Sircam, which scans hard drives for email addresses in documents and mail archives, according to descriptions I've read. Reports say Sircam emails working documents (in My Documents or whatnot folder) and this could have happened.
-Declan
On Wed, Jul 25, 2001 at 06:42:34PM -0700, Tim May wrote:
Cypherpunks,
I've been getting anywhere from 10 to 30 "SirCam" worm messages a day. The volume is now declining. Most have attached files containing fragments of Microsoft Word documents, apparently extracted from the disk drive of the sender. Most are the usual garbage people write to each other, but some of the ones from corporations have been interesting. And this one, assuming it is real, seems to have orginated from within some department of the government called "NIPC."
It must be bogus.This does not seem plausible, that they would send me something, so I expect a hoax.
The attached filed, with the message, is 926 K, so I'm only enclosing a few tantalizing sections.
I really cannot imagine why I am getting these SirCam messages from some government agency named "NIPC," unless for some reason my e-mail address is in their address book. How could that happen?
(BTW, many of the SirCam messages have clock dates which are wrong. This one is incorrectly dated "8/24/01".)
At 2:39 PM -0400 8/24/01, NIPC Intern42 wrote: ------017B5BE9_Outlook_Express_message_boundary Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: message text
Hi! How are you=3F
I send you this file in order to have your advice
See you later=2E Thanks
------017B5BE9_Outlook_Express_message_boundary Content-Type: application/mixed; name="DC TOOLZ.zip.bat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="DC TOOLZ.zip.bat"
The NIPC and FedCIRC have recently received information on attempts to locate, obtain control of and plant new malicious code known as "W32-Leaves.worm" on computers previously infected with the SubSeven Trojan.
The default ports for SubSeven to listen for network traffic are 16959/tcp and 27374/tcp, though the numbers can be changed. Full descriptions and removal instructions of a number of SubSeven variants can be found at various anti-virus firm Web sites, including the following:
A computer security unit within the U.S. Federal Bureau of Investigation has detected a series of intrusions into U.S. government networks under an investigation code named Moonlight Maze, and the intrusions appear to have originated from Russia, an FBI official told Congress this week. A spokesman for the Russian embassy here today quoted the head of the press service for the Russian foreign intelligence service, Nikita Rabusov, as saying the Russian special services have "no relation whatsoever" to the theft of information from computer networks of the U.S. federal agencies.
"American specialists have failed to establish from where this intrusion originated," the embassy official quoted Rabusov as saying in an interview with the Russian news agency Itar-Tass. "They only indicated that it comes from a software company said to be reverse-engineering the products of leading American software companies. Russian special services are not so stupid to undertake such an operation, in case the necessity arises, directly from Moscow."
Please report computer crime to your local FBI office (www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit also can be reached at (202) 323-3204/3205/3206, or nipc.watch@fbi.gov.
References to ECONCOM are to be deleted ASAP from all departmental systems. SLAM DUNK cover to be vetted by NIPC for release to journalists. Oakland and Monterey offices to coordinate.
Michael Vatis, deputy assistant director and chief of the Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC) created February 26, 1998, told the Senate Judiciary Subcommittee on Terrorism, Technology and Government Information June 29 that 'crypto anarchists" see Washington's computers as "the final exam, the ultimate challenge, the enemy which must be destroyed." Agents are advised to seek out means of forcing these persons out of the public debate.
Internal Memorandum. The FRENZY Conference was a fantastic showing of our capabilities for covert entry into target computers. PDs across the country are asking how they can get their own CARNIVORE systems. Here is one such request:
"We've bought so many necessary items from vendors who attended the last FRENZY Conference ... the Conference was definitely one of the best I've attended. I was particularly impressed by how easy the Carnivore system was to set up."
Rick Smithman, Criminalistics Bureau Administrator, Lodi Police Department
With this thought in mind, The Laissez Faire City Times interviewed Ed Hertzog, editor of The Free Associator, an interesting e-zine that wants to facilitate Digital Anarchy. This interview is a little mirror of an underground, libertarian world, whose landmarks and standard-bearers are John Perry Barlow and Neal Stephenson, Nicholas Negroponte and Ayn Rand, Louis Rossetto and David Friedman.
NIPC has been tasked to assist in the take-down of a high-profile hacker terrorist at the DefCon conference next week in Las Vegas. The take-down is being planned for maximal public impact, as per AG Ashcroft's memo of 24JUN01. Full assistance will be provided by NIPC. Plain clothes agents will be at the conference to render assistance.
4. It's another one of those 'hahaha' virus trolls that has been going on for a while now. And you guys are the 'techno-elite'.... On Thu, 26 Jul 2001, Declan McCullagh wrote:
There seem to be three explanations.
1. Tim is having some fun with us. It would be easy for him to do so, and NIPC (an FBI subagency) has been in the news today, with a WSJ article this morning posted to the list and a Senate hearing this afternoon. Tim's written similar things before and posted them straight-faced: http://www.politechbot.com/p-01332.html
2. Someone is spoofing NIPC email and having fun with Tim.
3. This really did originate from within NIPC and is a major cypherpunk intelligence find. The WSJ article (http://www.politechbot.com/p-02306.html) says NIPC has been hit by Sircam, which scans hard drives for email addresses in documents and mail archives, according to descriptions I've read. Reports say Sircam emails working documents (in My Documents or whatnot folder) and this could have happened.
-- ____________________________________________________________________ Nature and Nature's laws lay hid in night: God said, "Let Tesla be", and all was light. B.A. Behrend The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------
participants (6)
-
Alan Olsen
-
David Honig
-
Declan McCullagh
-
Jamie Nicolson
-
Jim Choate
-
Tim May