Poor follow-up left public vulnerable after FBI's DNSChanger bust
The FBI’s Operation Ghost Click went down as planned in November. An Estonian Internet fraud ring running criminal DNS servers was taken down with six people arrested.
“The operational work they did was excellent,” said Rod Rasmussen, chief technology officer of the security firm Internet Identity.
The data centers housing the rogue servers had been identified and the FBI had a court order allowing the nonprofit Internet Systems Consortium to run the servers for 120 days to give owners of infected computers time to clean out the DNSChanger malware. The FBI published information about the need to clean up computers so they would not be cut off from the Internet when the DNS servers were taken offline.
Judge grants extension on DNSChanger server shutdown
As deadline nears, federal agencies mostly free of DNSChanger
Then the ball was dropped.
“We didn’t do a great job of getting the word out,” said Rasmussen, who is part of the industry’s DNSChanger Working Group. Information was available, but “you can’t just expect people to find it on their own.”
As a result, it was estimated shortly before the original court-imposed March 8 deadline for taking the rouge servers offline that millions of computers remained infected — though government agencies, Rassmussen said, had largely cleaned their own systems.
A few days before that deadline, a federal judge granted a request to extend the deadline to July 9, thereby giving individuals and organizations more time. But that doesn’t change the fact that the original 120-day window was largely wasted with little or no effort to alert the public of the pressing need to fix the problem.
I’m not blaming either industry or government for this. As Rasmussen said, “chalk it up to lessons learned.” It was a new experience, and nobody foresaw the need for aggressive public outreach. “You’re talking about a lot of law enforcement and computer nerds.”
The news media were not much help, either. Most accounts of the initial story in November led with the arrest of the Estonians and did not go far beyond that. The need for subsequent cleanup was either buried or ignored.
That is why Internet Identity issued a press release in February pointing out that half of Fortune 500 companies and government agencies remained infected and risked being cut off from the Internet. That got the media’s attention, but even then the story was garbled, producing headlines such as “FBI Might Shut Down the Internet March 8.” That's neither accurate nor helpful.
On the other hand, the authorities and industry did a lot of good work. The working group has provided information on DNSChanger about how to find out whether you are infected and how to clean it up, and the FBI’s information is helpful as well. The key is getting that information to the press and in front of the public.
“We have certainly learned a lot from the experience,” Rasmussen said.
There has to be a plan to get the information out and to educate reporters about the issues so they can write responsibly. It need not be difficult. This is a great news story that most reporters would be eager to write about. That’s our job, after all. But if we have to dig for it, a lot of the story is likely to be missed.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.