Slashdot Mirror
Digital Thieves Use Ex-Employees Accounts
prostoalex writes "The New York Times is running an article about a new generation of digital thugs. Using unsecured wireless networks, free e-mail accounts, a wealth of security knowledge, and, most important - employee passwords, thieves are getting access to valuable company databases. Once they're in, they start extorting the companies to pay up for them to leave. Otherwise phony e-mails to customers and sensitive information published publicly will lead to an embarrassment."
This was going on in 1996 and has been ever since so how is this a "New Generation"; the only thing that has changed between now and then is now we have more insecure WIFI networks but really that doesn't change how the game is played at all.
it seems like mostly smaller and medium-sized businesses would be vulnerable to this, not larger corporations, or perhaps a small division of a larger corp, because access to big cash usually requires the blackmailee to go through some kind of board of directors who are going to refuse to yield, while a more tightly-knit mom and pop shop is going to have no one to turn to. A big company could have all sorts of resources immediately available for damage control (e.g. warning customers of fraudulent information, quick access to high-level law enforcement, à la FBI). Sigh, and all because of wireless networks. When is Cisco, D-Link, Netgear, going to learn to turn on encryption by default? Microsoft learned the hard way; users are too damn stupid to secure anything on their own, and that includes business. That's what it comes down to, stupidity.
Take off every sig. For great justice.
"D.D.O.S. attacks are still one of the primary ways of extorting a company, and we're seeing a lot of that," said Larry D. Johnson, special agent in charge of the United States Secret Service's criminal division. "
Heck, they talk like it is such a big deal to start a DOS attack. Just post an article like "Walla Walla school district to abandon FreeBSD and use Linux desktops" on slashdot, using your target's web site for the article location.
Have you Meta Moderated t
But you do exactly one thing with a vehicle: you move stuff in it. It's an assembly of a few simple systems, including, usually, locks, AC, stereo, and the vehicle itself. Your car doesn't serve arbitrary media, facilitate content creation, and enable you to search the Internet and talk to your friends, as well as monitor itself, all with one complex system.
Sure, a computer isn't a single system, but it's a set of systems with a single interface, and your actions are rather more separated from effects than driving a car.
So if you want to have a computer that's configured so it'll 'just work', you need someone else to tell you what you're going to use it for. That's the only way to streamline the interface so people can maintain their laziness or stupidity, or not spend time they don't have to learn a complex interface.
Corporations, on the other hand, have special needs that a reduced interface would break. But they have the resources to hire people who do understand computers. Just like UPS hires mechanics to service its vehicles. There are two issues:
- Corporations don't want to spend more time and lose more money in implementing and testing secure systems--they want something that 'just works', not something that works well.
- The people being hired by corporations are probably incompetent or else uncaring, at least in the case of all those recent incidents such as the CardSystems breakin. Both factors are influenced by budgeting: corporations aren't spending enough to hire good IT people, and they aren't spending enough to pay their IT people to do a good job.
And I agree about Booth--he was a true champion of states' rights.
I think the main problem for the wannabe hacker is the getting paid bit. How the heck do they remain anonymous and get paid?
It's all very well to do that to a company, but you aren't exactly going to hand out your own bank details to the company in order to get paid.. heh.
- paul
http://pmp.deviantart.com/
Pmp @ DeviantArt
It was then that the stalker made a series of mistakes. Among them, he began to brag. In an e-mail message titled "Fire them all," he informed Mr. Videtto that he had found valuable MicroPatent documents by going "Dumpster diving to the Dumpster and recycle bins located in a parking lot on Shawnee Road" in Alexandria, Va., where the company maintained a branch office
From "The Incredibles":
Syndrome: Oh, ho ho! You sly dog! You caught me monologuing!
Ah yes, the evil cybervillain cannot resist the urge to pontificate about his supposed superior intellect and abilities to his victims. Of course, by doing so they reveal all kinds of details about their nefarious plans and give the victims time enough to escape or capture the idiot.
Monologuing trips up the bad guy everytime.It seems to me that the people telling us how "Many times, companies just pay the hackers off to avoid embarassment." have little or no real facts to back up those claims.
... where someone threatens a denial of service attack on an online gambling/betting or porn site that's already running "beneath the radar" of legislation in nations that would prefer to shut them down.
In other words, it's just sensationalist writing.
In any nation with reasonably well enforced laws protecting a company's I.P. - I would think it's pointless for an extortionist to even attempt this. Sure, you might have the technical means to steal the proprietary info (especially if the company has unsecured or poorly secured wi-fi networks), but then what?
Even the guy in this story got caught after unsuccessfully trying to scam money out of just one company. And today, it would seem to be much more difficult to get away with than it was even a few years ago. The government and law enforcement are getting more knowledgable about Internet-based crime all the time, and since 9-11, the U.S. at least has enacted more laws giving feds the ability to "spy" on net traffic and trace things back to their source.
I really don't believe any legitimate business would think it made sense to pay some hacker millions of dollars in extortion money. This is MUCH more effective in situations like the one discussed in a Slashdot story a while back
Nothing will change until a large attack steals congressional credit card numbers, blacks-out the entire East Coast for two weeks, diverts Taco Bell supply trucks to Canada, or shuts down all the free porn sites. We are a reactionary society. Even when tools like encryption and AV are practically free, 99.9% of the population won't use them until something really bad happends or they are forced. Security WILL be forced upon us after a "Digital Pearl Harbor" touches us all. It's not a matter of if, but when.
This is MUCH more effective... ...site that's already running "beneath the radar"
I don't know, I think there are plenty of companies that operate 'above the radar' that would be horrified at the thought of customers being able to see what's really going on in the back room. Getting the FBI involved can be thought of as riskier than just paying up. If they are detected while going to the authorities, the psycho that's threatening them can release all the secrets and just disappear. Screw the money, you're just plain going DOWN now. Just as kidnappers can threaten (and make good on that threat) that they will harm or kill their captive if you go to the cops. And, just because your business is legitimate on paper doesn't mean it's actually operating that way either.
There seems to be a lot of comment about the case, considering that he asked to have the cheque made out his own name.
This line even appears in court documents (pdf).
.. paranoid crackpot leftover from the days of Amiga.
Many theives really have trouble keeping their mouths shut. They just can't help but brag about how much they rule because they managed to pull off some scam. They end up talking themselves in to jail. Same holds true after they are arrested. If they were smart, they'd clam up and let their lawyer do all the talking, instead they run their mouth, and the police are able to start to play lies against eachother and eventually break their story.
I mean in the real world it's not usally as overdone as in the movies, but yes, lots of crooks really do wind up in jail because they couldn't stay quiet about what they'd done.
Only a few months ago I read from a respectable psychiatric source (and I wish I could find you a link right now) that more than 10% of those in 'political' life likely suffer from a form of narcassistic psychopathic personality disorder. NPD is one of the most frightening disorders when you really understand it, you actually have no core personality and understand youself only in a power relation to others whose behaviour defines your own. What we commonly call charismatic and charming people are more likely to be NPD sufferers. Politicians and confidence tricksters are commonly sufferers, rather than being 'clever' (NPDs are often marked by above average intelligence) they are deeply damaged. Many of those we hold in high regard as leaders and 'action' people are actually mentally ill, normatively speaking.
If you have never heard of this I suggest you research it and you will be astonished how the symptom list fits the behaviour of so many public figures.
If M$ marketting, executive and legal were to die off tomorrow, users would be forced to seek a sys admin or learn (or get a Mac, which is STILL a step up)... which means, there would be less idiots on the net. Its about the same as requesting that ALL drivers be forced to KNOW how to identify and check fluids, and ANY damage done by negligence should be charged triple at the repair shop (just imagine those head gaskets being charged to some idiot at triple rate!!) A law like that would mean that I would have to do LESS repairs on cars with damaged head gaskets because the user/driver "didn't think they had to check oil unless the 5000 mile marker was coming up, and why would he/she have to know that driving a high revving engine in 110 degree weather (fahrenheit) without ever checking fluids first, might damage their 5000.00 to 10000.00 USD (BMW) motor... who'd believe that, eh?"
Until people are made responsible and PAINFULLY so , about their rights, and consequences of not being PROACTIVE on their own, then nothing will change. People put off RISK onto others expecting that others will take care of it for them.
Its like prostate cancer for men and breastcancer for women. If you don't proactively check for it, then you deserve the painful death you get for not bothering to so much as get a damn 100 dollar checkup each year. (granted it is QUITE unpleasant for men, yet for women it can even be done at home before they even GO to the doctor).
Besides, its easy to afford it. All we american IT types have to do, is stop eating supersized meals and get water instead of fries and a soft drink (water's better for health and weight reasons anyways). You'd be amazed how quick you'll save the cash for that checkup (or for spare hardware for that BSD rig in the corner).
Same thing goes with STD's, if you sleep around, get a damn checkup. There's free clinic's everywhere so you don't have to get sharked for 199 per checkup at the regular doctor joint.
The problem with all of the above, is as the PT said, people in our country are LAZY LUSERS!! They need to get hurt badly before they'll learn... and in doing so, they will get those of us that are in the "non ignorant, non idiot" minority to pay the price with them.
" What luck for rulers that men do not think" - Adolf Hitler