Weird message from someone named "NIPC"

[Declan McCullagh]

There seem to be three explanations.

1. Tim is having some fun with us. It would be easy for him to do so, and
NIPC (an FBI subagency) has been in the news today, with a WSJ article
this morning posted to the list and a Senate hearing this afternoon.
Tim's written similar things before and posted them straight-faced:
http://www.politechbot.com/p-01332.html

2. Someone is spoofing NIPC email and having fun with Tim.

3. This really did originate from within NIPC and is a major
cypherpunk intelligence find. The WSJ article
(http://www.politechbot.com/p-02306.html) says NIPC has been hit by
Sircam, which scans hard drives for email addresses in documents and
mail archives, according to descriptions I've read. Reports say Sircam
emails working documents (in My Documents or whatnot folder) and this
could have happened.

-Declan



On Wed, Jul 25, 2001 at 06:42:34PM -0700, Tim May wrote:
> Cypherpunks,
> 
> I've been getting anywhere from 10 to 30 "SirCam" worm messages a 
> day. The volume is now declining. Most have attached files containing 
> fragments of Microsoft Word documents, apparently extracted from the 
> disk drive of the sender. Most are the usual garbage people write to 
> each other, but some of the ones from corporations have been 
> interesting. And this one, assuming it is real, seems to have 
> orginated from within some department of the government called "NIPC."
> 
> It must be bogus.This does not seem plausible, that they would send 
> me something, so I expect a hoax.
> 
> The attached filed, with the message, is 926 K, so I'm only enclosing 
> a few tantalizing sections.
> 
> I really cannot imagine why I am getting these SirCam messages from 
> some government agency named "NIPC," unless for some reason my e-mail 
> address is in their address book. How could that happen?
> 
> (BTW, many of the SirCam messages have clock dates which are wrong. 
> This one is incorrectly dated "8/24/01".)
> 
> At 2:39 PM -0400 8/24/01, NIPC Intern42 wrote:
> ------017B5BE9_Outlook_Express_message_boundary
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: message text
> 
> Hi! How are you=3F
> 
> I send you this file in order to have your advice
> 
> See you later=2E Thanks
> 
> ------017B5BE9_Outlook_Express_message_boundary
> Content-Type: application/mixed; name="DC TOOLZ.zip.bat"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;  filename="DC TOOLZ.zip.bat"
> 
> 
> The NIPC and FedCIRC have recently received information on attempts 
> to locate, obtain control of and plant new malicious code known as 
> "W32-Leaves.worm" on computers previously infected with the SubSeven 
> Trojan.
> 
> The default ports for SubSeven to listen for network traffic are 
> 16959/tcp and 27374/tcp, though the numbers can be changed. Full 
> descriptions and removal instructions of a number of SubSeven 
> variants can be found at various anti-virus firm Web sites, including 
> the following:
> 
> 
> 
> A computer security unit within the U.S. Federal Bureau of 
> Investigation has detected a series of intrusions into U.S. 
> government networks under an investigation code named Moonlight Maze, 
> and the intrusions appear to have originated from Russia, an FBI 
> official told Congress this week. A spokesman for the Russian embassy 
> here today quoted the head of the press service for the Russian 
> foreign intelligence service, Nikita Rabusov, as saying the Russian 
> special services have "no relation whatsoever" to the theft of 
> information from computer networks of the U.S. federal agencies.
> 
> "American specialists have failed to establish from where this 
> intrusion originated," the embassy official quoted Rabusov as saying 
> in an interview with the Russian news agency Itar-Tass. "They only 
> indicated that it comes from a software company said to be 
> reverse-engineering the products of leading American software 
> companies. Russian special services are not so stupid to undertake 
> such an operation, in case the necessity arises, directly from 
> Moscow."
> 
> Please report computer crime to your local FBI office 
> (www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate 
> authorities. Incidents may be reported online at 
> www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit also 
> can be reached at (202) 323-3204/3205/3206, or nipc.watch at fbi.gov.
> 
> References to ECONCOM are to be deleted ASAP from all departmental 
> systems. SLAM DUNK cover to be vetted by NIPC for release to 
> journalists. Oakland and Monterey offices to coordinate.
> 
> 
> Michael Vatis, deputy assistant director and chief of the Federal 
> Bureau of Investigation's National Infrastructure Protection Center 
> (NIPC) created February 26, 1998, told the Senate Judiciary 
> Subcommittee on Terrorism, Technology and Government Information June 
> 29 that 'crypto anarchists" see Washington's computers as "the final 
> exam, the ultimate challenge, the enemy which must be destroyed." 
> Agents are advised to seek out means of forcing these persons out of 
> the public debate.
> 
> 
> Internal Memorandum. The FRENZY Conference was a fantastic showing of 
> our capabilities for covert entry into target computers. PDs across 
> the country are asking how they can get their own CARNIVORE systems. 
> Here is one such request:
> 
> "We've bought so many necessary items from vendors who attended the 
> last FRENZY Conference ... the Conference was definitely one of the 
> best I've attended. I was particularly impressed by how easy the 
> Carnivore system was to set up."
> 
> Rick Smithman, Criminalistics Bureau Administrator, Lodi Police Department
> 
> 
> 
> With this thought in mind, The Laissez Faire City Times interviewed 
> Ed Hertzog, editor of The Free Associator, an interesting e-zine that 
> wants to facilitate Digital Anarchy. This interview is a little 
> mirror of an underground, libertarian world, whose landmarks and 
> standard-bearers are John Perry Barlow and Neal Stephenson, Nicholas 
> Negroponte and Ayn Rand, Louis Rossetto and David Friedman.
> 
> 
> NIPC has been tasked to assist in the take-down of a high-profile 
> hacker terrorist at the DefCon conference next week in Las Vegas. The 
> take-down is being planned for maximal public impact, as per AG 
> Ashcroft's memo of 24JUN01. Full assistance will be provided by NIPC. 
> Plain clothes agents will be at the conference to render assistance.