Slashdot Mirror
Feds Thwart Extortion Plot Against Best Buy
hiero writes "From an article
in the Star Tribune: 'Federal authorities said Tuesday they thwarted an extortion plot against Best Buy Co. Inc. by a man who sent the company an e-mail threatening to expose what he claimed were weaknesses in the retailer's computer system unless he was paid $2.5 million.' What's really interesting to me, though, is this paragraph further on in the article: 'The federal search warrant was obtained the morning of Oct. 24 and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.' Internet Protocol Address Verifier? Is this Carnivore in action?"
I think it's called a return receipt :-D Probably was using Outlook which automagicly sends one when requested.
Blogzine
That's what happens when you try to extort a big company using Outlook.
"0101100101? It's just jibberish. *looks in mirror, gasps* 1010011010@!? AHHHHHH!!"
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
and this is where he's going to say his computer was hi-jacked, right? Even Carnibore has its limitations.
Easy does it. You don't need a big surveillance program, just add a bug to your email that "grabs" the reader's IP addy and voila!
Easy does it, apply the KISS principle to life.
~~~Please pass the salt, I hate unsalted MD5s
sounds so much better than "ping"
One one hand, if a genuine white hat hacker finds an exploit in a network and told the owners about it, s/he finds himself ostracized for the actions, and is threatened with legalities.
And on the other hand, what this guy tried to do was establish a "business relationship" -- notice that he did try to contact them first with the offer to help them:
The e-mail also offered to establish an unspecified business relationship between the sender and Best Buy, adding: "Without your response, we are obligated to share the security hole with the public for their protection. As a result, Best Buy may experience a loss in business, thefts and lawsuits."
Ofcourse, once he noticed he wasn't getting anywhere, he decided to resort to good ole' blackmail.
Honestly, this was bound to happen some day or the other. When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money.
Good, atleast this way companies will be more careful about protecting data.
Hmm, sounds like a fancy name for a computer expert. All you have to do is read the SMTP headers in most email and it will reveal the sender's IP. Just trace it back down the line of servers through which the email was routed, and you get back to the original IP address.
If the sender is spoofing headers, however, this becomes more difficult. Why not just subpoena the ISP for their email data? Doesn't the server keep a log of what IP addresses sent which pieces of email?
For example:
Received: from [65.119.30.157] (helo=SMTP.magnellmail.net)
by snoopy-bak.runbox.com with smtp (Exim 4.24)
id 1Ae9TJ-0006F6-B0
for xxxxxxxx@runbox.com; Wed, 07 Jan 2004 09:55:25 +0100
Received: from mail pickup service by E1SSL2 with Microsoft SMTPSVC;
Wed, 7 Jan 2004 00:56:48 -0800
The above shows that someone at 65.119.30.157 sent this email. It went through their mail server (magnellmail.net) to runbox, my provider. From there, Runbox directed it to my Inbox when I opened Outlook.
There is also a very unique message ID at the end of the headers section:
Message-ID: [E1SSL23ZpEVmkWFBXZG000011b9@E1SSL2]
Could this be used by the Email provider to find out who sent emails, if the IP address is missing or spoofed?
Homestarrunner.net -- It's Dot Com!
Is it when he offered a "business relation" in exchange for fixing the problem? Or was it when he threatened to disclose the flaw? Or was it merely because he wanted money in return?
Had he just disclosed the flaw, would he more or less a criminal, ethically and legally speaking? It seems that worse would have come if he had simply published the flaw right away.
Was he justified in asking for compensation for his findings? If not, this seems to obligate us to "work for free" when discovering such a security problem.
What do others here think?
This is just a case of bad journalism. Of course, there are many methods of getting the IP of the receiver of an email The most common is a webbug (a link to an image on a server you control), but that requires for the culprit to use a mail client that renders HTML.
"Internet Protocol Address Verifyer" sounds like something you'd find in a Movie OS. Of course, like all other buzz words, the name is not related to the alledged function.
They either used a webbug, og checked the IP in the header of the mail he sent with his claim.
They got a warrant BEFORE they used the program. Whatever the program did - read information from his PC or just return IP address - it was a valid, legal search. We should be considering this a victory for our rights. The only way I can see anyone complaining about this is if the warrant was improperly obtained, but it seems entirely reasonable to "search" the email address that has been attempting blackmail.
They probably just read the mail headers as soon as he replied to the letter they sent him. From this and the time the email was sent they probably had no trouble asking his isp for the user information. Criminals are not always the smartest apples and he probably didnt even have a way to crack the website.
If he wasnt clueless he would have used a dummy email account and checked it via rental computer or at the very least a dial up account using *69 ( which can still leave your number ) and a prepaid credit card / gift card.
This guy reminds me of the old irc script kiddies who would do things from their house and wonder how they were tracked down. While anonomyzers are available it makes me wonder if he,
a. used one
b. had used a computer before
As to the FBI ip verifier i find it hard to believe they have anything more advanced then the current jscript / asp / log parsers to pull ip information.
AFIK the absolute most a email address can yeild is the ip of the server. However with the email headers im sure you can get a ip without too much trouble with a warrant.
Karma's over rated. Speak your mind.
Make sure you turn off Message Disposition Notification in your e-mail client.
Sheesh, evil *and* a jerk. -- Jade
Internet Protocol Address Verifier? Is this Carnivore in action?"
That'll be a tiny 1x1 pixel gif embeded in a HTML e-mail called from the feds server.(AKA web bug... You cant turn off HTML in M$ LookOut and this dude dosent sound very clued up)
Presto, the feds know who opend the mail how long they looked at it etc etc etc.
A top tip (tm) is to embed a web bug in a job aplication e-mail. Its interseting to watch your aplication being pushed around various departments and see who actually reads it.
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
Over here there is a Congressional Statement of what Carnivor "officialy" does, or is "allowed" to do. One paragraph of this statement:
Carnivore is a very effective and discriminating special purpose electronic surveillance system. Carnivore is a filtering tool which the FBI has developed to carefully, precisely, and lawfully conduct electronic surveillance of electronic communications occurring over computer networks. In particular, it enables the FBI, in compliance with the Constitution and the Federal electronic surveillance laws, to properly conduct both full communications' content interceptions and pen register and trap and trace investigations to acquire addressing information.
gives us the gist of it. So yes this very well be Carnivore in action.
"It usualy starts with some screaming. Afterwards there is much running around."
This is the first time google has heard about it as well, apparently.
I'm much more concerned that their cash registers use WiFi without a lick of encryption... I read several stories a while back about people sitting out in the parking lot with sniffers, capturing credit card information...
Somehow, this power accumulation and surveilance (sic) reminds me of Senator Palpatine. I just hope I'm wrong.
Huh. It reminded me of Stalin and Beria and the NKVD, but you're right, better we should take our lessons from space opera than from history.
George Lucas's fertile imagination is so much more convincing than those ponderous, dusty history books. And you can't eat popcorn and jujubes while reading books, it gets the pages too sticky.
Opinions on the Twiddler2 hand-held keyboard?
You cant turn off HTML in M$ LookOut
;-)
Oh yes you can - something I rely on to avoid spammers using the same trick!
this dude dosent sound very clued up
My thought exactly
A top tip (tm) is to embed a web bug in a job aplication e-mail. Its interseting to watch your aplication being pushed around various departments and see who actually reads it.
h eck.ins.govr rorism.dhs.org. com
Yes, it's very interesting. For example, here's the log of all the machines who accessed my web bug when applied for a job at the DHS:
frontdesk.dhs.gov
hr.dhs.gov
check.dhs.gov
c
check.irs.org
it.dhs.org
counterte
legal.dhs.org
submitsubpoena.aol
bust.usmarshals.gov
brb 2 secs, someone's at the door...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Anyone that reads 666 otherwise known as the hacker quarterly knows about all the problems in Best Buys network.
It even goes in depth on how to get into thier private network from a display PC.
How to find info on hiring and firing people etc.
How to order stuff and have it sent.
and few other ways of hiding yourself, as below
1. Dedicated firewalled Linux Laptop with WLAN, and changing MAC
2. WarDrive around for a unsecure internet connection.
3. Use proxies from unsecured PC's, lists available from DBL providers, or you Email server logs.
4. Setup up a web mail account, and send business proposal.
5. WarDrive to other access poiunt for continuing dialog
6. Travel around a bit to avoid setting a Wardrive pattern
I would think this would be very difficult to trace without social engineering
mailto:EatSpamAndDie@princeweb.com
Yeah but since PATRIOT, everything is a valid search...
Is this Carnivore in action?
:)
No, it isn't. Like another poster said, this is really just a web bug. Carnivore is a sophisticated system for parsing billions of e-mails and flagging interesting things like threats against the President for analysts to examine, but has nothing to do with validating return addresses or anything like that.
The only way to actually know that someone is actually receiving your e-mail at a particular location is to include a web bug that reports their IP address back to you, by opening a socket connection directly to something on a server you own (e.g. an image). So either include an image in the e-mail which is requested from your server, or include a trojan that "phones home" when they run it.
It works. Try it the next time you want to see who's really spamming you. Just send a web bug to whatever the response address is they want you to contact, (you know, for your Nigerian money-laundering instructions), and then examine your server logs carefully to find out where they really are in the world. Of course, you could also send them a backdoor if you wanted, instead of just a beacon, but I would never countenance such uncivilized behavior
You have to realize that we are getting our information about this incident from a NEWSPAPER, which the very least reliable source for technical topics. Remember this clueless newspaper article?
I'd say we know little about what actually happened here.
(Somewhat off-topic, but a related topic, honestly)
About a month ago I discovered what could be deemed a weakness in a relatively popular online merchant's order status system, allowing anyone to view the order status for any order in the system just by changing an ID field in the URL. I often try changing such values in URLs like this for no real reason (a habit from designing my own web-based scripts), and I've never found an exploit until now.
So with a simple perl script, it would be possible to download and parse the mailing address, shipping address, items ordered, amount paid, credit type (NOT credit card type or credit card number, thankfully) and other assorted information for any given order. After some brief checking, I determined there were over five million orders viewable in this manner, going back a few years.
So what am I supposed to do? I have no interest in establishing a 'business relationship' with this online merchant, telling everyone how to do it seems like it would cause more harm than good, and I fear being ostracized or even litigated for 'hacking' if I tell the company, even if all I did was change a sequential, non-encrypted number in an URL.
Or is the information accessible not a big deal to worry about?
Imagine his surprise when he received a $2.5 million Best Buy Gift Card in the mail. Doh!
I imagine that yep, this person isn't savvy enough to not use html email, and they slipped a web bug into the email. Hell I'd try it just on the off chance, and it looks like it paid off for your Feds that time...
I've had one case where a friend and I were writing a boobytrapped shell on a Linux box, to use as the login shell for a suspected system cracker, and he logged in, saw the new shell (which we hadn't quite installed yet) and RAN THE BLOODY THING FOR US! We got all the data we needed to track him down right there and then, phoned his ISP and got him shut off on the spot.
So - yes, even the more savvy often do really really stupid things...
-- ted russ http://www.arach.net.au/~ted/mydynes/ http://www.arach.net.au/~ted/myblogs/
Uh, the likelihood is that it was a web bug, in which case webmail won't help - the request comes from your browser, and thus IP. In fact, webmail makes it worse, because a lot of email software can disable web bugs or can't display them to begin with, web browsers don't tend to disable loading remote images ;-)
Free Java games for your phone: Tontie, Sokoban
This is not surveillance. This is just identifying the IP address of the recipient of email. Seems to me that's rather similar to using ping or whois. IP addresses and domain registrations are public, not private.
/. posts that sxeem to believe otherwise. Get over it. The Internet is not special and people don't get a free pass because they use it for criminal behavior.
It's also rather similar to your local mail carrier knowing where you live. Is that surveillance, too, or are you simply paranoid?
If Best Buy had received the same threat via snail mail, and the FBI looked at the return address on the envelope, would you be screaming about surveillance?
The Internet is not some mystical land that exists apart from reality and the law, contrary to the constant stream of silly
Next time, please think bekore exposing yourself as a paranoid llon, OK?
-- Slashdot: When Public Access TV Says "No"
Huh. It reminded me of Stalin and Beria and the NKVD, but you're right, better we should take our lessons from space opera than from history.
In Imperial Coruscant, history takes lessons from YOU!
without their permissions you are a criminal, both legally and morally. My stuff is my stuff and I'll thanky ou to keep your hands off it. If you wish to audit anyhting I have, physical or virtual, you'd better ask my permission first, or you'll face consequences.
This seems perfectly reasonable and there is plenty of precident in the physical world:
My house has many known security flaws. The largest would be the windows. They are easily broken with just a rock, allowing access. My door would also be a flaw, it's solid, but nothing a battering ram in experienced hands couldn't break down in a few minutes. My lock is aslo a flaw. IT's better than most, a high security lock that is much harder to pick than normal, but it still is pickable.
So, if someone breaks into my house and demands money to fix it, should I honour that? No, I'd by perfectly jsutified in holding them at gun point and calling the police to have them punished. Regardless of thier intent, it's MY house and you'd better not enter it without my permission.
It is similar for computer systems. If I pay you to hack my stuff and report on it, great. YOu are providing a valuable service and I thank you. IF you break into my stuff without my permission, you are a criminal pure and simple.
Also, demanding money ex post facto is something else we have a law against, it's called balckmail and is illegal.
Look, if you want to find flaws in stuff, do it legally. Contact the owner and ask if you may hack them. If they say no, move on. IT is not your duty or right ot mess with their stuff without permission.
Look, if you have a peice of software and you hack it on your own systems and/or network, that it leagal. You then publish teh exploit, also legal. However if you come and hack MY network without my permission, that's NOT legal.
People who illegally break into systems deserve no more respect or consideration than people who illegally break into houses. You have no right at all to enter or use other people's property without their permission. Don't pretend like because it is a computer system that makes it any better.
IT's like lock picking. IF you want to learn to pick a lock and find out its venurabilities, go right ahead. But do it on a lock you own. But the lock in question and play with it. To go to someone else's house and try on their lock without permission is illegal and immoral. You've no right to mess with their property.
So if you get asked/hired to test someone's security (physical or virtual), great. Do what you can and give them a report. If you have something you own (physical or virtual) and you discover a security flaw, great, make it known so a fix can be developed. But do NOT presume you have the right to invade the property of others. It doesn't matter if it is venurable or not, it's not yours so you keep out.
The problem with an embedded image bug is that if the recipient views the source of the email -- and presumably this alleged extorter is a techie -- it's easy to spot such a bug, and so there's a real risk that including a bug would tip him off to the investigation.
So, it may be an HTML bug, but perhaps not...
Here's what I do: Bitty Browser & Andromeda
Obviously you have never lived in a country that kills its OWN citizens. Obviously you haven't heard of the totalitarian regimes in Germany, USSR, and USA's close friends Saudi Arabia and Egypt. Obviously you haven't heard of the damage done to civil rights activists in the 60's by the FBI and the CIA. Obviously you have never been targetted by the police. Obviously you are not a minority man (particularly black) living in some parts of USA. Obviously you haven't heard of the infiltration of the FBI by organized criminals (particularly the Italian mafia in the 60's and 70's). Obviously you haven't heard of police fabricating information and jailing people. Obviously you haven't heard of the government cooking up bogus charges and jailing people. Obviously McCarthyism is not part of your collective mind. Obviously you haven't heard of John Ashcroft's recent decree to spy on antiwar activists. Obviously you believe the legal system represent justice....Obviously you underestimate the power of the goverment.
So to answer your question, I would rather have some guy off the street spying on me than the goverment ANY DAY OF THE WEEK! There is something that you don't understand about the government--any government. Governments are far more powerful than 1000 people put together! They have immense power. The illusion of a legal system--which IS an illusion--does not change any of this. One just needs to look through the history of the government that you live under to see what I mean (I picked USA but you can pick any govt).
Sivaram Velauthapillai
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places
We applaud the hackers who so cleverly get around protections on technology. We had our "Free Kevin Mitnick" and "Free Dmitry" campaigns.
Here is a nice hack done for a good reason by the same law enforcement that is supposed to investigate and stop such crimes as extortion. And how do we react? Government spying! Conspiracy!
Really. That's just not very reasonable on our part.
Hot Damn! It's the Soggy Bottom Boys!
I've actually run into this issue a few times. The action I've taken in the past pretty much directly relates to the severity of the security flaw. For example, I've seen URL hacks which allow you to grab another customer's credit card information, and then some which allow only address information.
My rule of thumb is that if a piece of information can be obtained and tracked to a specific individual, it's dangerous. That's the rule I use in my work as well.
When I decide the situation warrants it, I send a professional, formal email to the company ( also the web admin if there is one ), stating what I found, screenshots and leave it at that. Sometimes I will point out that I intended to place an order, but halted when I saw the issue. I also let the company know they may contact me if more information is needed.
This is what has happened in the past following these emails:
1. Almost all companies send me an email thanking me and letting me know the problem has been corrected, and it has been. Case closed.
2. I get a nasty email from the company ( usually this is with SMALL operations) telling me to take my business elsewhere. At first I would attempt to politely explain the risk, but soon realized that some sites have no intention of listening to me, and gave up. In that case, I may notify the BBB or other organization just to get someone else on their tail. I don't have time to chase down other people's security holes, so the best I can hope for is to let others know.
In any case, I always use the Enron rule: What if I later had to explain my actions to a grand jury?
As opposed to a big company who tries to extort us to use Outlook?
My beliefs do not require that you agree with them.
Here are three ways to get on America's Dumbest:
1. Rob Taco Bell right after filling out job appication and interview. Be arrested when cops show up at your address on the application.
2. Send extortion/blackmail emails using MS-Outlook from your normal ISP account. Be busted when FBI sends email using marketing tool like Neighborhood Email or eZine Manager. FBI is too embarassed to admit they used an e-newsletter tool and come up with the "ip address verifier" device.
3. Shoplift naked. Be arrested when cop identifies the incredibly stupid butcher's meat chart tatoo when streaking through campus on a dare.
4. Keep crack pipe, crack and lighter in glove box. Be arrested when you see a billboard advising "Drug checkpoint next exit" and begin throwing crack, lighter and pipe out the window while police are video taping looking for people throwing drugs and paraphanellia out the window.
-- $G
This is another reason I like reading /. You guys give me a good whack on the side of the head on nearly a daily basis.
.gif files where a server-side plugin can compare the requested .gif to a known email and verify "yep - that addy is active" - even when most people ignore the unsubscribe links.
I read this and was foolishly thinking (probably like many do) that "oh, if I don't download an attachment and execute it there really is no danger. I mean really, if I don't "run" anything, how would anyone know?"
Silly wabbit is right. It's another case myself of not being able to see the forest for the trees.
I guess ANY HTML email can be malicious in a sense that it can snarf info if it actually interprets and points you to ANY website when you read it in its rendered state.
Talk about eye opening. I'll bet 90% of the general public don't actually realize this can easily be done for targeting purposes. With this in mind it's probably not hard (and don't flame me for not knowing this guys) but targeted spam in order to verify addresses could point to "specially coded"
"The aspects of things that are most important to us are hidden because of their simplicity and familiarity" - Ludwig Wittgenstein
Never have a philosophy which supports a lack of courage
Didn't anyone else think that maybe just asking the reporter would do the trick? His email address is right at the bottom of the article.
<sarcasm> oh wait - this is slashdot right - only two people actually read the article. </sarcasm>
I emailed Mr. David Phelps asking what an "Internet Protocol Address Verifier" was and his brief reply was the following.
"it's commonly referred to as a web bug. i used the term as contained in the government's search warrant."
So while the theorizing here did come up with that as a possibility - it also came up with lots of other BS.
Now the bizarre thing is that the feds used such a wierd term. Then again to a judge or lawyer the term "web bug" probably seems pretty bizarre.
If you're looking for sources of information, Ward Churchill and Jim Vander Wall's book Agents of Repression: The F.B.I.s Secret Wars Against the Black Panther Party and the American Indian Movement (South End Press) is a good start. When large numbers of readers refused to believe the stuff they had written (even though it extensively referenced the FBI's own documents), they did a follow-up book that just reprinted the FBI material called The COINTELPRO Papers: Documents from the FBI's Secret Wars Against Dissent in the United States. Harder to disbelieve that, I guess.
Have a look at the 'owner' match extension to iptables:
Maybe you'll learn something... just maybe.
Sivaram Velauthapillai
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places