Slashdot Mirror
Digital Thieves Use Ex-Employees Accounts
prostoalex writes "The New York Times is running an article about a new generation of digital thugs. Using unsecured wireless networks, free e-mail accounts, a wealth of security knowledge, and, most important - employee passwords, thieves are getting access to valuable company databases. Once they're in, they start extorting the companies to pay up for them to leave. Otherwise phony e-mails to customers and sensitive information published publicly will lead to an embarrassment."
why would some do something so evil?
Bytes - IT Community
This was going on in 1996 and has been ever since so how is this a "New Generation"; the only thing that has changed between now and then is now we have more insecure WIFI networks but really that doesn't change how the game is played at all.
"Once they're in, they start extorting the companies to pay up for them to leave. Otherwise phony e-mails to customers and sensitive information published publicly will lead to an embarrassment.""
Enron and Worldcon exposed early.
it seems like mostly smaller and medium-sized businesses would be vulnerable to this, not larger corporations, or perhaps a small division of a larger corp, because access to big cash usually requires the blackmailee to go through some kind of board of directors who are going to refuse to yield, while a more tightly-knit mom and pop shop is going to have no one to turn to. A big company could have all sorts of resources immediately available for damage control (e.g. warning customers of fraudulent information, quick access to high-level law enforcement, à la FBI). Sigh, and all because of wireless networks. When is Cisco, D-Link, Netgear, going to learn to turn on encryption by default? Microsoft learned the hard way; users are too damn stupid to secure anything on their own, and that includes business. That's what it comes down to, stupidity.
Take off every sig. For great justice.
Other than, you know, free loot, I can't see the point either.
think this is completely awesome.
Ignorance, yes.
Users shouldnt have to understand how it all works and how to secure their network/pc. It should come that way.
Much as your car does. You shouldnt have to understand how the locks work, or the ECM's. They should 'just work'.
Is it nice that you can tear down and rebuild a transmission in 2 hours flat? Sure, but you cant expect the average citizen to know that.
---- Booth was a patriot ----
Why the hell would you have a corporate database directly accessible over the Internet? Even for online banking, wouldn't it make much more sense to have one server contacting customers, making sure that one IP goes with one account at a time, and requesting data from the database server?
Whew! Thank goodness! I thought maybe all those industry secrets that guy published publicly (sic) were gonna do some actual harm to the company.
The difference between spam and poop is that you don't have to dig through septic tanks looking for real food. -- Me
I love the writing style in the submission (or is it TFA?) ...
ok, so say my company has 'a database' with 'client information' in it.
Nobody is going to have "select * from foo" privileges.
And the data is probably meaningless without a client application.
They make it sound like the Wargames movie - where some guy 'gets into' 'the system' and gets 'the data'. Its a lot harder than this.
I know from experience that its easy enough to compromise an employee, who can print pages of stuff out, or save things as an Excel file, and put it on a thumbdrive, than its going to be to get on a wireless network, manage to connect to 'the database' and run 'the query' that magically dumps you all the right data.
I want to delete my account but Slashdot doesn't allow it.
"D.D.O.S. attacks are still one of the primary ways of extorting a company, and we're seeing a lot of that," said Larry D. Johnson, special agent in charge of the United States Secret Service's criminal division. "
Heck, they talk like it is such a big deal to start a DOS attack. Just post an article like "Walla Walla school district to abandon FreeBSD and use Linux desktops" on slashdot, using your target's web site for the article location.
Have you Meta Moderated t
Arggggh, it's copyright infringement not theft :P get it right. There's a frickin difference. </joke>
I don't know why this is Slashdot-worthy. Get in your car with a Win 98 laptop and a crappy wireless card and drive through a commercial area. Free internet, anyone? You'd think by now it'd have gotten better...it hasn't. From what I've seen, any type of wireless encryption is becoming harder to find in the mass of networks here in LA.
I think the main problem for the wannabe hacker is the getting paid bit. How the heck do they remain anonymous and get paid?
It's all very well to do that to a company, but you aren't exactly going to hand out your own bank details to the company in order to get paid.. heh.
- paul
http://pmp.deviantart.com/
Pmp @ DeviantArt
since we're talking about stupid stuff from the mid 90s.. winnuke makes a comeback with windows vista!
lameness filter thwarted.
...last year on /.
It was then that the stalker made a series of mistakes. Among them, he began to brag. In an e-mail message titled "Fire them all," he informed Mr. Videtto that he had found valuable MicroPatent documents by going "Dumpster diving to the Dumpster and recycle bins located in a parking lot on Shawnee Road" in Alexandria, Va., where the company maintained a branch office
From "The Incredibles":
Syndrome: Oh, ho ho! You sly dog! You caught me monologuing!
Ah yes, the evil cybervillain cannot resist the urge to pontificate about his supposed superior intellect and abilities to his victims. Of course, by doing so they reveal all kinds of details about their nefarious plans and give the victims time enough to escape or capture the idiot.
Monologuing trips up the bad guy everytime.It seems to me that the people telling us how "Many times, companies just pay the hackers off to avoid embarassment." have little or no real facts to back up those claims.
... where someone threatens a denial of service attack on an online gambling/betting or porn site that's already running "beneath the radar" of legislation in nations that would prefer to shut them down.
In other words, it's just sensationalist writing.
In any nation with reasonably well enforced laws protecting a company's I.P. - I would think it's pointless for an extortionist to even attempt this. Sure, you might have the technical means to steal the proprietary info (especially if the company has unsecured or poorly secured wi-fi networks), but then what?
Even the guy in this story got caught after unsuccessfully trying to scam money out of just one company. And today, it would seem to be much more difficult to get away with than it was even a few years ago. The government and law enforcement are getting more knowledgable about Internet-based crime all the time, and since 9-11, the U.S. at least has enacted more laws giving feds the ability to "spy" on net traffic and trace things back to their source.
I really don't believe any legitimate business would think it made sense to pay some hacker millions of dollars in extortion money. This is MUCH more effective in situations like the one discussed in a Slashdot story a while back
you will be modded -1 for extremely homosexual comment about BSD and linux.
Cars are 'systems'. Vastly more complex then that PC you are sitting at now. It also has much more real ramifications if it doesnt perform. People can die.
It is not realisitc to expect average users to understand the PC from a techincal side. It has *nothing* to do with stupidty or lazyness. Its an appliance to them, nothing more.
IT people hired to be experts, we do agree on that part. They should know what they are doing and take action.
---- Booth was a patriot ----
Nothing will change until a large attack steals congressional credit card numbers, blacks-out the entire East Coast for two weeks, diverts Taco Bell supply trucks to Canada, or shuts down all the free porn sites. We are a reactionary society. Even when tools like encryption and AV are practically free, 99.9% of the population won't use them until something really bad happends or they are forced. Security WILL be forced upon us after a "Digital Pearl Harbor" touches us all. It's not a matter of if, but when.
Comment removed based on user account deletion
You touch yourself at night!!
This is MUCH more effective... ...site that's already running "beneath the radar"
I don't know, I think there are plenty of companies that operate 'above the radar' that would be horrified at the thought of customers being able to see what's really going on in the back room. Getting the FBI involved can be thought of as riskier than just paying up. If they are detected while going to the authorities, the psycho that's threatening them can release all the secrets and just disappear. Screw the money, you're just plain going DOWN now. Just as kidnappers can threaten (and make good on that threat) that they will harm or kill their captive if you go to the cops. And, just because your business is legitimate on paper doesn't mean it's actually operating that way either.
There seems to be a lot of comment about the case, considering that he asked to have the cheque made out his own name.
This line even appears in court documents (pdf).
.. paranoid crackpot leftover from the days of Amiga.
In five years, you won't be able to give this stuff away.
Many theives really have trouble keeping their mouths shut. They just can't help but brag about how much they rule because they managed to pull off some scam. They end up talking themselves in to jail. Same holds true after they are arrested. If they were smart, they'd clam up and let their lawyer do all the talking, instead they run their mouth, and the police are able to start to play lies against eachother and eventually break their story.
I mean in the real world it's not usally as overdone as in the movies, but yes, lots of crooks really do wind up in jail because they couldn't stay quiet about what they'd done.
Why do we have to put up with this stupid NYT reg crap?? ... Keep this rag with its registration requirements where it belongs... in the trashcan... unless a non-reg link can be provided in the original article....
Just my .02 cnts
*--- Sometimes a majority only means that all the fools are on the same side. ---*
What, exactly, does wifi change? The average big dumb company has all of their desktops running Outlook, IE and other trash. So every one of their computers is open to exploit from everywhere in the world. So what's a big dumb company to worry about? Their desktops having keyloggers and back orifice put on by any of the 300,000,000 Winblows computers in the world, or someone sitting in their parking lot? Why would anyone go to the trouble of parking outside your building when they can exploit you from afar?
I saw it happen to my computer at the last big dumb company I worked for. I clicked on an email and it exploded porn browsers and started churning the hard drive. I hit the power button. When I reported the incident to the email administrator, they were clueless and thought I was worried about being nailed for porn. They did not believe me either and insisted on clicking the damn thing by pc anywhere. They left without waiting for the results to show, so the stupid thing executed to completion. When I asked them if they wanted to reinstall my machine, they blew it off as "normal advertising". With attitudes like that, the company network was a sieve.
Now these morons at the New York Times would scare people away from wireless networks. Perfect. It's the kind of logic that you see where cell phones with cameras are forbidden but normal cameras and photo copiers are not. Don't you know someone will sell you a solution?
Friends don't help friends install M$ junk.
Only a few months ago I read from a respectable psychiatric source (and I wish I could find you a link right now) that more than 10% of those in 'political' life likely suffer from a form of narcassistic psychopathic personality disorder. NPD is one of the most frightening disorders when you really understand it, you actually have no core personality and understand youself only in a power relation to others whose behaviour defines your own. What we commonly call charismatic and charming people are more likely to be NPD sufferers. Politicians and confidence tricksters are commonly sufferers, rather than being 'clever' (NPDs are often marked by above average intelligence) they are deeply damaged. Many of those we hold in high regard as leaders and 'action' people are actually mentally ill, normatively speaking.
If you have never heard of this I suggest you research it and you will be astonished how the symptom list fits the behaviour of so many public figures.
If M$ marketting, executive and legal were to die off tomorrow, users would be forced to seek a sys admin or learn (or get a Mac, which is STILL a step up)... which means, there would be less idiots on the net. Its about the same as requesting that ALL drivers be forced to KNOW how to identify and check fluids, and ANY damage done by negligence should be charged triple at the repair shop (just imagine those head gaskets being charged to some idiot at triple rate!!) A law like that would mean that I would have to do LESS repairs on cars with damaged head gaskets because the user/driver "didn't think they had to check oil unless the 5000 mile marker was coming up, and why would he/she have to know that driving a high revving engine in 110 degree weather (fahrenheit) without ever checking fluids first, might damage their 5000.00 to 10000.00 USD (BMW) motor... who'd believe that, eh?"
Until people are made responsible and PAINFULLY so , about their rights, and consequences of not being PROACTIVE on their own, then nothing will change. People put off RISK onto others expecting that others will take care of it for them.
Its like prostate cancer for men and breastcancer for women. If you don't proactively check for it, then you deserve the painful death you get for not bothering to so much as get a damn 100 dollar checkup each year. (granted it is QUITE unpleasant for men, yet for women it can even be done at home before they even GO to the doctor).
Besides, its easy to afford it. All we american IT types have to do, is stop eating supersized meals and get water instead of fries and a soft drink (water's better for health and weight reasons anyways). You'd be amazed how quick you'll save the cash for that checkup (or for spare hardware for that BSD rig in the corner).
Same thing goes with STD's, if you sleep around, get a damn checkup. There's free clinic's everywhere so you don't have to get sharked for 199 per checkup at the regular doctor joint.
The problem with all of the above, is as the PT said, people in our country are LAZY LUSERS!! They need to get hurt badly before they'll learn... and in doing so, they will get those of us that are in the "non ignorant, non idiot" minority to pay the price with them.
" What luck for rulers that men do not think" - Adolf Hitler
Try the f...ine link. It's registerless.
Sheesh, what a knee jerk reaction. Probably thinks FreeBSD is dying, too.
What really shows that the story is sensationalist is the fact that in the end, the guy asks the company to write a check to him using his real name. So all that FBI, tracking him down, etc. was a complete waste of everyone's time - All they had to do was ask "ok, who should we write the check to?"
Although I love the part where the hacker threatens to open the web bug in a hex editor! Oooohh! And the NYT tries to explain what that means, defining a hex editor as "software that allows users to preview the contents of incoming files.."
I'm posting this so that you (the moderator) have some context to consider twitter and not mod him up whenever he posts his filler preformatted rants about installing Knoppix or Mepis or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.
If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than twitter. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.
To get an idea of what I'm talking about, check this post out. This is an article about email disclaimers. The parent of the post is complaining about the ads in the linked page and so on, and twitter actually goes off on a rant to blame it on Microsoft and recommend Lynx, because "is teh free".
Here's another. In this post twitter not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "GNU". Yes, if you're confused, you're not alone. The reply (modded +4) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.
Here's that drive-by advocacy and FUD in motion: twitter goes on about some topic and then drops the usual "oh and M$ is teh evil" because "WMP phones home" or some such. Called on his FUD, he then claims that WMP stores every song and movie you've ever played in a file, somewhere. Pressed further, he just sort of slithers out of sight, his FUD-spreading complete. This is not about some Microsoft technology that nobody likes anyway; it's about lying for the sake of lying. Way too many of his posts are exactly like this one.
More? Just read though this post and the subsequent replies. I guess this stands on its own. Or these two. Or this one. Or this one.
Still not convinced? This is what twitter considers "humour" while going about his daily "M$" routine.
M
Let's see, my car has a computer that let's me change the way the transmission works (adaptive, economic, sport) and I don't see the result until I'm driving. There are other settings that I don't pay much attention to but could end up setting them differently on accident.
My mother plugged her digital camera's charger into my wife's car and it blew some fuse that changed the car from automatic to manual until we figured out that this was the problem.
Cars are plenty complex and you can do lots of things to screw them up.
"Mr. Tereshchuk was sentenced to five years in prison after pleading guilty"
Ok, I realise this is a bit off topic, but this guy has "hand-grenade components and ricin ingredients", is mentally imbalanced, and attempts extortion to the tune of 17 million and he only gets 5 years? However, joe public who shares a movie through bit torrent could potentially get 3 years? Does that make sense to anyone?
Same goes for spammers .. They're always trying to sell something, just follow where the money's going.
When I was an Intern as a sysadmin a couple of years ago in a quite big company, i had access to all the Domain servers and could see all the accounts.
I asked my supervisor if all those accounts were in use. He didn't know. I did a bit of research, and found out that between 5% and 10% of the accounts were belonging to old Interns, Employees that left, or ppl that changed group. In a company with 15000 Employes, that makes a really big bunch of wandering accounts. No wonder why people can find 1 or 2 accounts in this bunch whose password is "Love" and gain access to undisclosed information, without anybody noticing.
I wouldn't mind you in my head, if you weren't so clearly mad -Lews Therin Telamon
>I really don't believe any legitimate business would think
>it made sense to pay some hacker millions of dollars in extortion money.
Hey - ask around.
I've had many conversations about black hats and what to do about them if you find things as innocuous as a rogue FTP server running on one of our hosting systems.
One interesting comment has been that an organization is inviting war on themselves when they kick our these kinds of squatters...best bet is to lay down ground rules for them so they don't affect your business/bandwidth and let sleeping dogs lie. The small amount of blood that these leeches take is small compared to the bloodletting that would ensue if they were denied.
The key point is often that your business looks very much less secure when you look as if you CAN'T prevent an onslaught that disrupts your client's business. They don't care that you're fighting a hacker army of darkness...they just take their business elsewhere.
It's not fair, but more and more it's looking like e-commerce is analogous to a running wildebeest herd...at every river crossing there are crocodiles waiting for that unlucky 2%. The there are the lions....
When it's your time to die, perhaps it really is better to pay up...in the minds of a board of directors without infinite resources, it's might seem better to face a payout than having certain info released. Imagine if ENRON had been compromised 12 months prior to it going belly up. You BET they'd have paid up if someone threatened to out them to their investors.
Interesting topic no less.