Feds Thwart Extortion Plot Against Best Buy
hiero writes "From an article
in the Star Tribune: 'Federal authorities said Tuesday they thwarted an extortion plot against Best Buy Co. Inc. by a man who sent the company an e-mail threatening to expose what he claimed were weaknesses in the retailer's computer system unless he was paid $2.5 million.' What's really interesting to me, though, is this paragraph further on in the article: 'The federal search warrant was obtained the morning of Oct. 24 and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.' Internet Protocol Address Verifier? Is this Carnivore in action?"
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
One one hand, if a genuine white hat hacker finds an exploit in a network and told the owners about it, s/he finds himself ostracized for the actions, and is threatened with legalities.
And on the other hand, what this guy tried to do was establish a "business relationship" -- notice that he did try to contact them first with the offer to help them:
The e-mail also offered to establish an unspecified business relationship between the sender and Best Buy, adding: "Without your response, we are obligated to share the security hole with the public for their protection. As a result, Best Buy may experience a loss in business, thefts and lawsuits."
Ofcourse, once he noticed he wasn't getting anywhere, he decided to resort to good ole' blackmail.
Honestly, this was bound to happen some day or the other. When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money.
Good, atleast this way companies will be more careful about protecting data.
Hmm, sounds like a fancy name for a computer expert. All you have to do is read the SMTP headers in most email and it will reveal the sender's IP. Just trace it back down the line of servers through which the email was routed, and you get back to the original IP address.
If the sender is spoofing headers, however, this becomes more difficult. Why not just subpoena the ISP for their email data? Doesn't the server keep a log of what IP addresses sent which pieces of email?
For example:
Received: from [65.119.30.157] (helo=SMTP.magnellmail.net)
by snoopy-bak.runbox.com with smtp (Exim 4.24)
id 1Ae9TJ-0006F6-B0
for xxxxxxxx@runbox.com; Wed, 07 Jan 2004 09:55:25 +0100
Received: from mail pickup service by E1SSL2 with Microsoft SMTPSVC;
Wed, 7 Jan 2004 00:56:48 -0800
The above shows that someone at 65.119.30.157 sent this email. It went through their mail server (magnellmail.net) to runbox, my provider. From there, Runbox directed it to my Inbox when I opened Outlook.
There is also a very unique message ID at the end of the headers section:
Message-ID: [E1SSL23ZpEVmkWFBXZG000011b9@E1SSL2]
Could this be used by the Email provider to find out who sent emails, if the IP address is missing or spoofed?
Homestarrunner.net -- It's Dot Com!
Personally, Why isn't technology like this being adapted to fight SPAM. Maybe the FBI is trying to keep tools like this under wraps so they can continue to use it against people, rather than knowledge of its existance being a deterrent... double-edged-sword i guess. I'm honestly curious how serious the extortionists were... The scheme sounds very half-hatched to me...
~~~ SCO sued me because I printed this t-shirt with a Linux driven printer...
This is the first time google has heard about it as well, apparently.
I'm much more concerned that their cash registers use WiFi without a lick of encryption... I read several stories a while back about people sitting out in the parking lot with sniffers, capturing credit card information...
I'm not sure why the parent is moderated as funny, but it's completely true. That's probably what their IP address verifier used. It's low-tech, but will catch many morons.
Even there may be something that may trace from wich (IP) address an event happened (thou I completely agree with the 1x1 gif idea) . I don't see how it may prove something in court.
What if the email was send (the smtp server was invoked) from a compromised computer. There are lots of win98 online with hundreds exploits ready waiting for somebody who needs an IP to do something from. What if the person uses a cascade of proxyes and shells.
I will just mention all the possibilites the iproute2 package gives to move network segments and obscure what is going on.
We should do everything possible to prevent the court system to take computer generated information (logs) as a reliable evidence, because it may be just the start of the witch hunt...
(Somewhat off-topic, but a related topic, honestly)
About a month ago I discovered what could be deemed a weakness in a relatively popular online merchant's order status system, allowing anyone to view the order status for any order in the system just by changing an ID field in the URL. I often try changing such values in URLs like this for no real reason (a habit from designing my own web-based scripts), and I've never found an exploit until now.
So with a simple perl script, it would be possible to download and parse the mailing address, shipping address, items ordered, amount paid, credit type (NOT credit card type or credit card number, thankfully) and other assorted information for any given order. After some brief checking, I determined there were over five million orders viewable in this manner, going back a few years.
So what am I supposed to do? I have no interest in establishing a 'business relationship' with this online merchant, telling everyone how to do it seems like it would cause more harm than good, and I fear being ostracized or even litigated for 'hacking' if I tell the company, even if all I did was change a sequential, non-encrypted number in an URL.
Or is the information accessible not a big deal to worry about?
I imagine that yep, this person isn't savvy enough to not use html email, and they slipped a web bug into the email. Hell I'd try it just on the off chance, and it looks like it paid off for your Feds that time...
I've had one case where a friend and I were writing a boobytrapped shell on a Linux box, to use as the login shell for a suspected system cracker, and he logged in, saw the new shell (which we hadn't quite installed yet) and RAN THE BLOODY THING FOR US! We got all the data we needed to track him down right there and then, phoned his ISP and got him shut off on the spot.
So - yes, even the more savvy often do really really stupid things...
-- ted russ http://www.arach.net.au/~ted/mydynes/ http://www.arach.net.au/~ted/myblogs/
The problem with an embedded image bug is that if the recipient views the source of the email -- and presumably this alleged extorter is a techie -- it's easy to spot such a bug, and so there's a real risk that including a bug would tip him off to the investigation.
So, it may be an HTML bug, but perhaps not...
Here's what I do: Bitty Browser & Andromeda
Hmmm. Really reminds me more of J. Edgar Hoover. But you are right. Better we should take our lessons from across the oceans than from the fascists in our own backyard.
(not that Stalin and Beria were nice guys, mind you -- it's just that there aren't mass executions in the U.S. yet)
Thankfully, no company has yet exercised option 3: prosecute you for computer crime. It doesn't matter if they don't have a case or what laws are on your side -- they have the money, power, and desire to utterly ruin your life regardless.
These people market and sell a product they probably know is shoddy. What makes you think they'd have the moral fibre or restraint to refrain from shooting the messenger? You can't trust their software, what makes you think you can trust them?
I've finally had it: until slashdot gets article moderation, I am not coming back.
Interesting idea. I wonder how to get per-process firewall functionality on Linux.
The only way to actually know that someone is actually receiving your e-mail at a particular location is to include a web bug that reports their IP address back to you, by opening a socket connection directly to something on a server you own (e.g. an image). So either include an image in the e-mail which is requested from your server, or include a trojan that "phones home" when they run it.
Wrong. If you were talking about you or me.. that would be true. But if you were talking about an organization that had the means to find any email on any provider, then all you would need is to include a unique identifier in the email so that you would be able to locate among the billions of uninteresting ones.
I used to monitor commercial pager traffic. So that on my PC I would see every page, from every person on a given provider. If I wanted to find the "capcode" (basically a pagers ESN) of a user on the system, I would only have to send them a page with a unique number and grep it. From that point on I could single that user out for monitoring. So, this could be the same thing, only with email. Word.
Actually this would make an interesting Slashdot topic. I've often marvelled at the fact that in many companies, certain members of an IT team have the potential to commit serious crime, AND cover their tracks until well after they've left the country. Whereas normal personel in a company can work there for 20 years and not have access to sensitive information, an admin/developer can often wander in to a job and have complete access to every part of the business within a day...
Code, Hardware, stuff like that.
It all depends what kind of crime.
The Zodiac Killer was never caught, but was still extremely famous. He left encrypted messages at crime scenes, some of which the cops solved, and some of which remain unsolved to this day, even with the full attention of public cryptologists trying to crack them.