Slashdot Mirror


Feds Thwart Extortion Plot Against Best Buy

hiero writes "From an article in the Star Tribune: 'Federal authorities said Tuesday they thwarted an extortion plot against Best Buy Co. Inc. by a man who sent the company an e-mail threatening to expose what he claimed were weaknesses in the retailer's computer system unless he was paid $2.5 million.' What's really interesting to me, though, is this paragraph further on in the article: 'The federal search warrant was obtained the morning of Oct. 24 and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.' Internet Protocol Address Verifier? Is this Carnivore in action?"

11 of 942 comments (clear)

  1. IP Address Verifier == web bug by morzel · · Score: 5, Interesting
    "Internet Protocol Address Verifier? Is this Carnivore in action?"
    Methinks that would be marketing speak for an HTML mail with a web bug (1x1 transparent pixel image loaded from remote server). If the 'villain' is using a mail program that displays HTML, his IP address is logged.

    --
    Okay... I'll do the stupid things first, then you shy people follow.
    [Zappa]
    1. Re:IP Address Verifier == web bug by orthogonal · · Score: 5, Interesting

      Methinks that would be marketing speak for an HTML mail with a web bug

      That's my guess too. If so, had the extortionist had his mail client set up like mine, he wouldn't have had his IP "verified".

      My client, actually, is the (rightfully) much maligned Microsoft Outlook, but I don't have a problem with web bugs, because my firewall only allows Outlook to connect to one address -- my domain's mail server -- and only to two ports at that address, ports 110 and 25.

      This means no web bugs or any referenced (as opposed to inlined) images are ever displayed. In the few cases where I actually want to see referenced images, this is a minor inconvenience, but it's more than offset by knowing that no spammer -- or corporation -- ever gets verification of my email address.

      For most mail, of course, it's not an issue. Important email rarely if ever contains referenced images; indeed I discourage anyone from sending me HTML-encoded email at all.

      And if I want to view a url included in an email, I just click on it, and Firebird (which is allowed to connect to any address, so long as it's to port 80) displays the url. If I really want to see an email in its full glory (and I never do), I can always save it and then open it in Firebird.

    2. Re:IP Address Verifier == web bug by Milalwi · · Score: 4, Interesting

      clever criminals don't get caught so you don't hear about them

      Indeed. A few years ago, I was talking to a friend of mine who was a county prosecutor about a case which had happened in my end of town.

      A woman had her daughter's boyfriend murder her husband for the insurance money. I was amazed that she thought the authorities wouldn't figure it out. My friend said(paraphrasing): "They're mean and they're stupid. You have no idea how mean and how stupid... The smart ones don't get caught."

      Of course, most of criminals *think* they're smart enough to get away with their crimes. But as researchers have found, they probably don't know they're not smart enough to avoid being caught.

      Milalwi
  2. Well, ironic isn't it? by metlin · · Score: 5, Interesting

    One one hand, if a genuine white hat hacker finds an exploit in a network and told the owners about it, s/he finds himself ostracized for the actions, and is threatened with legalities.

    And on the other hand, what this guy tried to do was establish a "business relationship" -- notice that he did try to contact them first with the offer to help them:

    The e-mail also offered to establish an unspecified business relationship between the sender and Best Buy, adding: "Without your response, we are obligated to share the security hole with the public for their protection. As a result, Best Buy may experience a loss in business, thefts and lawsuits."

    Ofcourse, once he noticed he wasn't getting anywhere, he decided to resort to good ole' blackmail.

    Honestly, this was bound to happen some day or the other. When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money.

    Good, atleast this way companies will be more careful about protecting data.

    1. Re:Well, ironic isn't it? by tuxette · · Score: 4, Interesting
      Honestly, this was bound to happen some day or the other.

      I think it's happening more often than what we read about in the mainstream press. Most businesses want to keep things hush-hush as to not generate bad publicity.

      Good, atleast this way companies will be more careful about protecting data.

      I doubt it, although I tend to be a pessimist when it comes to these matters. As long as they can hide behind lawsuits, it will be business as usual.

      My final note of pessimism: things are going to get much worse before they get better. Brace yourselves!

      --
      People say I'm crazy, I got diamonds on the soles of my shoes...
  3. Internet Protocol Address Verifier? Pfft... by eaglebtc · · Score: 4, Interesting

    Hmm, sounds like a fancy name for a computer expert. All you have to do is read the SMTP headers in most email and it will reveal the sender's IP. Just trace it back down the line of servers through which the email was routed, and you get back to the original IP address.

    If the sender is spoofing headers, however, this becomes more difficult. Why not just subpoena the ISP for their email data? Doesn't the server keep a log of what IP addresses sent which pieces of email?

    For example:

    Received: from [65.119.30.157] (helo=SMTP.magnellmail.net)
    by snoopy-bak.runbox.com with smtp (Exim 4.24)
    id 1Ae9TJ-0006F6-B0
    for xxxxxxxx@runbox.com; Wed, 07 Jan 2004 09:55:25 +0100
    Received: from mail pickup service by E1SSL2 with Microsoft SMTPSVC;
    Wed, 7 Jan 2004 00:56:48 -0800

    The above shows that someone at 65.119.30.157 sent this email. It went through their mail server (magnellmail.net) to runbox, my provider. From there, Runbox directed it to my Inbox when I opened Outlook.

    There is also a very unique message ID at the end of the headers section:

    Message-ID: [E1SSL23ZpEVmkWFBXZG000011b9@E1SSL2]

    Could this be used by the Email provider to find out who sent emails, if the IP address is missing or spoofed?

    --
    Homestarrunner.net -- It's Dot Com!
  4. Google appears to be stumped too by chronus22 · · Score: 5, Interesting

    This is the first time google has heard about it as well, apparently.

  5. Concerns about Best Buy by Anonymous Coward · · Score: 5, Interesting

    I'm much more concerned that their cash registers use WiFi without a lick of encryption... I read several stories a while back about people sitting out in the parking lot with sniffers, capturing credit card information...

  6. What are you supposed to do? by Anonymous Coward · · Score: 5, Interesting

    (Somewhat off-topic, but a related topic, honestly)

    About a month ago I discovered what could be deemed a weakness in a relatively popular online merchant's order status system, allowing anyone to view the order status for any order in the system just by changing an ID field in the URL. I often try changing such values in URLs like this for no real reason (a habit from designing my own web-based scripts), and I've never found an exploit until now.

    So with a simple perl script, it would be possible to download and parse the mailing address, shipping address, items ordered, amount paid, credit type (NOT credit card type or credit card number, thankfully) and other assorted information for any given order. After some brief checking, I determined there were over five million orders viewable in this manner, going back a few years.

    So what am I supposed to do? I have no interest in establishing a 'business relationship' with this online merchant, telling everyone how to do it seems like it would cause more harm than good, and I fear being ostracized or even litigated for 'hacking' if I tell the company, even if all I did was change a sequential, non-encrypted number in an URL.

    Or is the information accessible not a big deal to worry about?

  7. HTML bug by teddlesruss · · Score: 5, Interesting

    I imagine that yep, this person isn't savvy enough to not use html email, and they slipped a web bug into the email. Hell I'd try it just on the off chance, and it looks like it paid off for your Feds that time...

    I've had one case where a friend and I were writing a boobytrapped shell on a Linux box, to use as the login shell for a suspected system cracker, and he logged in, saw the new shell (which we hadn't quite installed yet) and RAN THE BLOODY THING FOR US! We got all the data we needed to track him down right there and then, phoned his ISP and got him shut off on the spot.

    So - yes, even the more savvy often do really really stupid things...

    --
    -- ted russ http://www.arach.net.au/~ted/mydynes/ http://www.arach.net.au/~ted/myblogs/
  8. However, a bug says: "you're being bugged" by turnstyle · · Score: 4, Interesting
    "You don't need a big surveillance program, just add a bug to your email"

    The problem with an embedded image bug is that if the recipient views the source of the email -- and presumably this alleged extorter is a techie -- it's easy to spot such a bug, and so there's a real risk that including a bug would tip him off to the investigation.

    So, it may be an HTML bug, but perhaps not...

    --
    Here's what I do: Bitty Browser & Andromeda