Slashdot Mirror
Feds Thwart Extortion Plot Against Best Buy
hiero writes "From an article
in the Star Tribune: 'Federal authorities said Tuesday they thwarted an extortion plot against Best Buy Co. Inc. by a man who sent the company an e-mail threatening to expose what he claimed were weaknesses in the retailer's computer system unless he was paid $2.5 million.' What's really interesting to me, though, is this paragraph further on in the article: 'The federal search warrant was obtained the morning of Oct. 24 and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.' Internet Protocol Address Verifier? Is this Carnivore in action?"
Internet Protocol Address Verifier? Is this Carnivore in action?
This could effectively stop spam, at least in conjunction with additional laws. Would it be worth it?
----
Squirrel
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
Sorry but no is doesn't, I use outlook at work and i have to allow mine to return a reciept, if i cancel the request nothing is returned to the sender
Kingdom of Loathing (www.kingdomofloathing.com) Addicted is me
One one hand, if a genuine white hat hacker finds an exploit in a network and told the owners about it, s/he finds himself ostracized for the actions, and is threatened with legalities.
And on the other hand, what this guy tried to do was establish a "business relationship" -- notice that he did try to contact them first with the offer to help them:
The e-mail also offered to establish an unspecified business relationship between the sender and Best Buy, adding: "Without your response, we are obligated to share the security hole with the public for their protection. As a result, Best Buy may experience a loss in business, thefts and lawsuits."
Ofcourse, once he noticed he wasn't getting anywhere, he decided to resort to good ole' blackmail.
Honestly, this was bound to happen some day or the other. When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money.
Good, atleast this way companies will be more careful about protecting data.
Hmm, sounds like a fancy name for a computer expert. All you have to do is read the SMTP headers in most email and it will reveal the sender's IP. Just trace it back down the line of servers through which the email was routed, and you get back to the original IP address.
If the sender is spoofing headers, however, this becomes more difficult. Why not just subpoena the ISP for their email data? Doesn't the server keep a log of what IP addresses sent which pieces of email?
For example:
Received: from [65.119.30.157] (helo=SMTP.magnellmail.net)
by snoopy-bak.runbox.com with smtp (Exim 4.24)
id 1Ae9TJ-0006F6-B0
for xxxxxxxx@runbox.com; Wed, 07 Jan 2004 09:55:25 +0100
Received: from mail pickup service by E1SSL2 with Microsoft SMTPSVC;
Wed, 7 Jan 2004 00:56:48 -0800
The above shows that someone at 65.119.30.157 sent this email. It went through their mail server (magnellmail.net) to runbox, my provider. From there, Runbox directed it to my Inbox when I opened Outlook.
There is also a very unique message ID at the end of the headers section:
Message-ID: [E1SSL23ZpEVmkWFBXZG000011b9@E1SSL2]
Could this be used by the Email provider to find out who sent emails, if the IP address is missing or spoofed?
Homestarrunner.net -- It's Dot Com!
Personally, Why isn't technology like this being adapted to fight SPAM. Maybe the FBI is trying to keep tools like this under wraps so they can continue to use it against people, rather than knowledge of its existance being a deterrent... double-edged-sword i guess. I'm honestly curious how serious the extortionists were... The scheme sounds very half-hatched to me...
~~~ SCO sued me because I printed this t-shirt with a Linux driven printer...
This is the first time google has heard about it as well, apparently.
I'm much more concerned that their cash registers use WiFi without a lick of encryption... I read several stories a while back about people sitting out in the parking lot with sniffers, capturing credit card information...
I'm not sure why the parent is moderated as funny, but it's completely true. That's probably what their IP address verifier used. It's low-tech, but will catch many morons.
Even there may be something that may trace from wich (IP) address an event happened (thou I completely agree with the 1x1 gif idea) . I don't see how it may prove something in court.
What if the email was send (the smtp server was invoked) from a compromised computer. There are lots of win98 online with hundreds exploits ready waiting for somebody who needs an IP to do something from. What if the person uses a cascade of proxyes and shells.
I will just mention all the possibilites the iproute2 package gives to move network segments and obscure what is going on.
We should do everything possible to prevent the court system to take computer generated information (logs) as a reliable evidence, because it may be just the start of the witch hunt...
For any black-mail (male?) scheme always be prepared to back it up with several remote sites with cron scripts to email the content to everyone (buy a spam CD) unless you take actions daily/weekly/etc. to prevent the mail from sending. This is so that if you get taken into custody, the whole thing is blown open, since you're fucked anyway!
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
The best way to do this would have been to use anonymous remailers and a nym address. Then you are protected from ISPs subpoenaing logs, as well as the email being encrypted and bounced around the net before it ends up in your inbox.
Those interested in finding out more about anonymous remailers should take a look at the APAS FAQ
However, were he to have the final email arriving in his Outlook, and he decrypted it with the PGP plugin, then a web bug could well have taken effect.
More likely they used some unpublished vulnerability in Outlook, possibly even one that the FBI found themselves...?
You cant make anything foolproof, they'll only invent better fools.
(Somewhat off-topic, but a related topic, honestly)
About a month ago I discovered what could be deemed a weakness in a relatively popular online merchant's order status system, allowing anyone to view the order status for any order in the system just by changing an ID field in the URL. I often try changing such values in URLs like this for no real reason (a habit from designing my own web-based scripts), and I've never found an exploit until now.
So with a simple perl script, it would be possible to download and parse the mailing address, shipping address, items ordered, amount paid, credit type (NOT credit card type or credit card number, thankfully) and other assorted information for any given order. After some brief checking, I determined there were over five million orders viewable in this manner, going back a few years.
So what am I supposed to do? I have no interest in establishing a 'business relationship' with this online merchant, telling everyone how to do it seems like it would cause more harm than good, and I fear being ostracized or even litigated for 'hacking' if I tell the company, even if all I did was change a sequential, non-encrypted number in an URL.
Or is the information accessible not a big deal to worry about?
I imagine that yep, this person isn't savvy enough to not use html email, and they slipped a web bug into the email. Hell I'd try it just on the off chance, and it looks like it paid off for your Feds that time...
I've had one case where a friend and I were writing a boobytrapped shell on a Linux box, to use as the login shell for a suspected system cracker, and he logged in, saw the new shell (which we hadn't quite installed yet) and RAN THE BLOODY THING FOR US! We got all the data we needed to track him down right there and then, phoned his ISP and got him shut off on the spot.
So - yes, even the more savvy often do really really stupid things...
-- ted russ http://www.arach.net.au/~ted/mydynes/ http://www.arach.net.au/~ted/myblogs/
I messed around with this, you can do it several ways. I had an img in an email that called a remote php script which got the requesting IP address, stored it in a mySQL table along with an index id, then generated an email that was sent to me notifying me of a new entry. The php script finally returned an image to the email recipient.
"All it takes to fly is to hurl yourself at the ground... and miss." -D. Adams
The problem with an embedded image bug is that if the recipient views the source of the email -- and presumably this alleged extorter is a techie -- it's easy to spot such a bug, and so there's a real risk that including a bug would tip him off to the investigation.
So, it may be an HTML bug, but perhaps not...
Here's what I do: Bitty Browser & Andromeda
Sound advice to be sure... However that only takes care of the first part of the problem: communicating with your business partner... Now if your business partner realizes that they do need your service how do you get the money?
As a large, publicly-held company, what happens ad Best Buy has a much greater impact on the public well-being than what happens to your Joe Citizen, and in my opinion merits a much greater response.
Yes, but the nasty little constitution gets in the way, and legally, a company merits less protection than a private citizen.
Here in my city, a small business was being extorted $3 million, and the FBI refused to handle it. The local police said it was a prank, and never investigated. The business owner ran a little "sting" of his own, found the guy doing it, and beat him bloody with a baseball bat. In the end, he went to jail, but the extortionist was acquitted for "extenuating circumstances," although I'll never know what those circumstances would be to make a real estate agent threaten to burn down an Italian restaraunt.
Hmmm. Really reminds me more of J. Edgar Hoover. But you are right. Better we should take our lessons from across the oceans than from the fascists in our own backyard.
(not that Stalin and Beria were nice guys, mind you -- it's just that there aren't mass executions in the U.S. yet)
...
They probably simply used the Recieved headers in the mail to track the Nit Down. *OR*,My personal Favorite, The Nit may have used @Yahoo.com or @Hotmail.com which pops the originating IP address of the Workstation/Proxy.
You guys really shouldn't beleive every last detail you read in the Newspaper...
If the Gov't had a Big Brother method of "Tracking" you do you really suppose they'ed publically reveal *HOW* it's done?
Not in all instances.
When connecting to an Exchange server, the option to disable notifications can be disabled, basically, Outlook/Exchange will respond back with the notifications automatically and the option to disable them is grayed out. Many businesses desire this option and use it.
For non Exchange server use, the option is yours.
Bad boys rape our young girls but Violet gives willingly.
Am I the only one surprised by the fact that this guy apparently used his "real" e-mail address while trying to illegally extort a major corporation? Has he not heard of proxy servers? Anonymous remailers? If he didn't use these, then all of these posts about this being no big deal are right on. If he was smart enough to do all of these things and the mystery government e-mail was still able to sniff him out, well then that makes me wonder...
---
Take it sleazy,
-The Shockmaster
They insert a 'special' serial binary stream - one that can be imbedded in pictures (child porn), email, Warez, illegal MP3s - you name it. They then have a special listener installed at the majority of all ISPs - whenever this special stream comes through a (logical) wire it logs the IPs, logon info etc. Very efficient, very secure, very accurate.
Actually, I just made all this up, but now that I mention it, does anyone think they're are getting away with anything anymore?
slashdot troll = you make a compelling argument I do not like the implications of.
Thankfully, no company has yet exercised option 3: prosecute you for computer crime. It doesn't matter if they don't have a case or what laws are on your side -- they have the money, power, and desire to utterly ruin your life regardless.
These people market and sell a product they probably know is shoddy. What makes you think they'd have the moral fibre or restraint to refrain from shooting the messenger? You can't trust their software, what makes you think you can trust them?
I've finally had it: until slashdot gets article moderation, I am not coming back.
This stuff happens every day.. you get a warrant , you start investigation and you catch criminals ( you hope )
With a warrant you can do all sorts of invasive things, such as wiretaps, hidden cameras, borderline entrapment stings.. whatever the judge approves...
Just normally it doesn't reach the news, as its really not news worthy...
---- Booth was a patriot ----
My friends and I used the same image trick to grab an IP for someone who was sending illicit and harassing e-mails to my sister. What made it even freakier was that this person knew information about her (like what clothes she wore to school etc.) Turned out to be some clown who went to her school in Oklahoma and moved to Michigan. As soon as we tracked down the ISP that was handing out his specific IP, they were more than willing to turn over the user's name(especially since my sister was a minor, ISPs tend to take anything involving minors very seriously and won't hesistate to give up customer information then, I mean, we weren't the cops or anything).
Interesting idea. I wonder how to get per-process firewall functionality on Linux.
That's actually the goal of government in general, regardless of the party.
There are several writers out there that prove uncategorically that a decline in morality due to a lack of self-control leads the people to elect leaders (tyrants) to control them.
The loss of civil rights you mention is a direct result of people not being able to control themselves. Since we live in societies and need some form of control, in the abscence of self-control we elect leaders who will provide the control that the society requires. This usually takes the form of tyranny.
"Tyranny grows from a lack of self-control. Our passions forge our chains." (Rousseau, quoted in Against Excess, by Mark Kleiman)
"The only completely certain restraint is self-control based on the voluntary acceptance of certain moral and ethical standards and principles." (Philip of England )
See Rome et al for examples.
.
Actually this would make an interesting Slashdot topic. I've often marvelled at the fact that in many companies, certain members of an IT team have the potential to commit serious crime, AND cover their tracks until well after they've left the country. Whereas normal personel in a company can work there for 20 years and not have access to sensitive information, an admin/developer can often wander in to a job and have complete access to every part of the business within a day...
Code, Hardware, stuff like that.
Pardon me if I do not sympathize with this guy who can spoof his e-mail address, but can't tell Outlook (I assume) to not display HTML. If he had just sent them a polite note that said "this is broke, here's how I discovered it, what it does, etc., here is how to fix it", then I think the community could be outraged. This is nothing more than a common criminal act. Just because it was tech-related does not make it more romantic or noble. And while you may not agree with the technology, which sounds about as mysterious as spyware, it served its intended purpose this time, in the future who knows though.
I hate sigs.
Yeah sure, "Internet device known as an Internet Protocol Address Verifier"
How much you want to bet this super dooper secret tool just creates an HTML message with an inline 1x1 gif/png/jpg image hidden in the body that makes a call to a webserver somewhere to download it.
This is what the spammers do to verify that people read their messages, and this is what I know some mailing list managers do in order to see if their postings actually get read.
Obviously doesn't help if you don't use something like Outlook or OE, but would work on most of the people out there.
Brielle
The article link now takes you to a registration page, to register for StarTrib content.
Luckily, I had read it the first time before the gauntlet was dropped.
I wonder if this will become a new trend. Bait Slashdot into linking to an interesting article you have, then switch it for a subscription page.
We need a new term for the behavior - SlashBS - Slashdot Bait & Switch.
It all depends what kind of crime.
The Zodiac Killer was never caught, but was still extremely famous. He left encrypted messages at crime scenes, some of which the cops solved, and some of which remain unsolved to this day, even with the full attention of public cryptologists trying to crack them.
...that Best Buy's web site is currently inaccessible?
--- Ban humanity.
I have scanned through the comments and most are talking about using html/images to track him. What if the FBI/TLA agency is just goofing everyone? - like mechanics telling someone that their "muffler bearings" need replacing.
:)
With that in mind, what if their "Internet Protocol Address Verifier" is just turning on the "receipt/delivery notification requested" option when they sent him their outgoing email - I have mine turned on by default and I know that there are a number of people who's email servers and/or clients return a read notification to me without them really realizing it. It won't give you the client IP is every case, but it does give you various amounts of useful info.
That wouldn't necessarily be defeated by using pine, etc, etc.
One of my favorite fun uses for read notifications is to see when the evil catbert trolls from HR are pawing through the email inbox of someone in the company that got canned or left without marking all my msgs as read. The trolls don't realize it sends me a read notification as they paw through, so when I get one from a "being phased out" email account, I send an email saying:
Oh my God, so-and-so did you come back? I hope so.
Sorry that you were gone, everyone missed you.
Ugh, what a job to have, like looking through someone's pockets after the're dead...
Am I missing something obvious or shouldn't all these computer criminal masterminds be taking advantage of the countless unsecured WAPs in every city? The bottom line is that every connection you make via wire from your home can plausibly be traced so why not get a laptop, wander around the city and send out your demands from the comfort of a park bench. Let the FBI send every tracer they can think of, they'll always end up with nothing. Seems kind of worth it if you're trying to lift $2.5 million. I wouldn't be surprised if within 5 years the gov't makes a law holding all WAP owners accountable for the security of their system.
CommentBot 0.7a running with args "-module irritate,disagree -target random"
>HTML actually comes in handy as many clients now use it for text formatting such as bold, italics, or bulleted items.
:-)
Sure...
*Nobody* could _ever_:
* Do
* That
* Before!
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Interesting fact:
:-)
If your phone company bills the government for a tap (they can sometimes) check your bill carefully. If it's anything like Canada, this may screw up the taxes (clearly, the wiretapping charge won't appear on the bill, but the computer may forget to deduct the charge from the taxes portion of the bill as they did for Canada).
Just thought you might find it interesting.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Except that you /didn't/ give an example for italics. _This_ is usually interpreted as underlining, where I come from. You *did* get bold correct, however.
;)
And that's the point. If it's not the real thing, it's open to (mis)interpretation. I've had unsavvy friends who asked if their computer was broken since they were getting garbage characters at the end of many of my sentences.