Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Crimeserver" Full of Personal/Business Data Found

Posted by kdawson on from the gotta-store-it-somewhere dept.

Presto Vivace sends news of a server found by security firm Finjan that contained a 1.4-GB cache of stolen data, accumulated over a period of less than a month from compromised PCs around the world. The "crimeserver," as Finjan dubs it, "provided command and control functions for malware attacks in addition to being a drop site for data harvested from compromised computers. ... The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain." Oddly enough, the data was stored in the open, with not even basic auth to protect it. Finjan notes in their press release that this huge trove of data gathered over a short period of time indicates that the crimeware problem is far larger than most observers have been assuming. Update: 05/08 12:29 GMT by T : Note, the security firm involved is spelled "Finjan," not "Finjin" as originally shown.

114 comments

  1. Why would they need basic auth? by morgan_greywolf · · Score: 5, Insightful

    Why would they need basic auth? After all, the security on the compromised computers was bad enough for them, complete random strangers to the owners of the PCs, to bypass system authentication and authorization controls to grab the data in the first place.

    --
    My blog
    1. Re:Why would they need basic auth? by kcbanner · · Score: 5, Insightful

      Because all scammers aren't friends with each other.

      --
      Obligatory blog plug: http://www.caseybanner.ca/
    2. Re:Why would they need basic auth? by CodeBuster · · Score: 3, Insightful

      Well, if they were planning to sell the pilfered information then it helps if their...ahem...customers cannot simply help themselves.

    3. Re:Why would they need basic auth? by NoobixCube · · Score: 5, Interesting

      My first thought was, surely someone who accumulates this kind of data would go to some lengths to secure it. That leads me to believe that this "crime server" is owned by an amateur. The computer crime equivalent of a petty thief. Imagine how many properly run and hidden crime servers must exist. And think how many more petty thieves must own similar ones.

      --
      Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
    4. Re:Why would they need basic auth? by Anonymous Coward · · Score: 3, Insightful

      Maybe its a free sample?

    5. Re:Why would they need basic auth? by Kingrames · · Score: 2, Interesting

      I don't think that's it.

      I think they recognize that getting the information was as easy as walking through a door, and so they don't trust any security measures other than physical security.

      --
      If you can read this, I forgot to post anonymously.
    6. Re:Why would they need basic auth? by Oriumpor · · Score: 1

      Unless the criminal is a complete idiot there's more than one drop spot... I mean, obviously you wouldn't want to design this sort of single point of failure into any C&C system.

    7. Re:Why would they need basic auth? by Anonymous Coward · · Score: 1, Insightful

      What amazes me is how quickly people adopt meaningless buzzwords like "crimeserver".

    8. Re:Why would they need basic auth? by darkfire5252 · · Score: 1

      Well, my thought was this: If they leave the info unguarded, they run the risk of someone stumbling on to the data and sharing their work. If they put effective authentication methods in place on the data, then they have established a definitive link between themselves and the data. They can claim innocence if by some stroke of bad luck they are being monitored and are caught logging in, but not if they use their personal GPG key to authenticate.

    9. Re:Why would they need basic auth? by Opportunist · · Score: 5, Interesting

      This might come as a surprise, but scammers are not necessarily more tech savvy than their victims.

      This isn't the first completely unprotected (or default password protected) scammer server. Actually, a certain security company which I won't name (but you can guess it...) will have a hard time working with certain other security companies from now on since there are things you don't yap about. Those hardly-if-ever protected ID-theft servers is one of those things.

      The reason is twofold. First of all, those criminals with a minimal technical knowledge (most of the times, those drop servers are part of the package you buy from someone who does actually know how to use a computer and write the necessary client/server package to steal information) might start wisening up and protect their servers better, making our work harder. It's the whole "the less your enemy knows about you and the more you know about your enemy, the better" thing.

      The second reason, though, is even more important. When it becomes "mostly common" knowledge that there are servers stuffed with stolen information, a second part of the criminal chain opens. Well, opens isn't the right word, it already opened, but it will have a wider, let's say, audience. People who want that information for their own goals won't infect your machine but rather try to steal from the thieves, multiplying the problem in proportions that cannot even be measured anymore. So far, we have a pretty good picture of the threat and problem, knowing (or at least being able to estimate) how many people are infected by a certain trojan, what information is siphoned and by the actions taken thereafter, we can draw a picture of the threat, the goals of the group that siphoned the information and so on.

      If now many criminals start working with the same data base, it becomes a damn lot harder to even try working out a threat scenario.

      That's why this is being kept on a low profile, and why nobody so far went out into the broad public about it. It's one of those "don't give them ideas" doctrines. I was certainly not in favor of the idea when it was presented, because withholding information does rarely lead to more security. I just couldn't offer a better solution. Or at least a better broom to keep the ocean at bay.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    10. Re:Why would they need basic auth? by jeiler · · Score: 1

      I was hoping the article would say what kind of OS this crime server was running. It doesn't.

      Forget the OS--I want to know what the IP address is. [evil grin]

      --

      If you haven't been down-modded lately, you aren't trying.

      Sacred cows make the best hamburger.

    11. Re:Why would they need basic auth? by WaltBusterkeys · · Score: 1

      When it becomes "mostly common" knowledge that there are servers stuffed with stolen information, a second part of the criminal chain opens. Just what we need -- thieves stealing from thieves. Except here the problem is that the information (your name, address, social security number, bank account numbers) is all digital and can be copied an infinite number of times. If a thief steals from a drug dealer ("rip and run") then the drug dealer knows he's been hit and is likely to take security measures. If thief steals from an identity thief, it might not even be obvious that anything was taken until it's already too late.

      This is why it's VERY important to lock down your info in the first place. There are too many leaks in the identity chain already. There's no need to give thieves information, especially if it can be stolen from one thief by another and copied yet further.

      On the other hand, maybe there will be online gang wars one day between competing criminal identity theft enterprises?
    12. Re:Why would they need basic auth? by bluefoxlucid · · Score: 1

      They were credit card numbers, not MP3s. Only pirates go to great lengths to secure their stolen goods.

      --
      Support my political activism on Patreon.
    13. Re:Why would they need basic auth? by NoobixCube · · Score: 1

      If I were to steal a credit card number, I'd want to be the only person with access to it, so I could max it out. Otherwise it's the same as robbing a bank and storing all of the cash safely in the town square.

      --
      Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
    14. Re:Why would they need basic auth? by NoobixCube · · Score: 1

      I only used it because it was used in the article. Little things like making sense just seem to matter to me, so I wasn't going to reinvent the wheel by using my own word for something already named in the story. It may have a particular name already ('server' on it's own seems good enough), but since I'm talking about this story, I'll talk within it's terminology. Hence the quotation marks on "crime server", when I used it.

      --
      Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
    15. Re:Why would they need basic auth? by bhhenry · · Score: 1

      What amazes me is how quickly people adopt meaningless buzzwords like "crimeserver". Hey! It's a unique skill to be able to come up with virulent memes.
      --
      signature not found
    16. Re:Why would they need basic auth? by MoonlightSeraphim · · Score: 1

      kick ass. and u just posted one of those "don't give them ideas" idea on a slashdot ...

    17. Re:Why would they need basic auth? by Lobster+Quadrille · · Score: 2, Interesting

      ...As if there aren't already?

      I mean, it's not like we have regular drivebys, but Russian spammers keep getting found dead... You do the math.

      --
      "The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
    18. Re:Why would they need basic auth? by Anonymous Coward · · Score: 0

      Actually the town square wouldn't be a bad idea... most people ignore money lying on the street unless they can pick it up without being seen (you rarely hear of someone finding money in a crowd for example)...

    19. Re:Why would they need basic auth? by dbIII · · Score: 3, Insightful

      The slang is "script kiddie".

    20. Re:Why would they need basic auth? by dintech · · Score: 1

      Depends which country you live in. I'm sure it's quite common in, you know, that really dodgy one.

    21. Re:Why would they need basic auth? by Anonymous Coward · · Score: 0

      I call bullshit.

      There are multiple documented cases where caches of data have been found, and widely documented. These have been done by security researchers, and reported on widely in the media and security related web sites.

      I wrote a (internal) document on such a cache in 2006 using a template that was based on... you guessed it, a previously reported case by a well known security researcher. The .PDF document from Finjan is very similar to this same template.

      This is already widely known and reported on in security circles. Your argument that it's "secret" doesn't hold merit.

    22. Re:Why would they need basic auth? by encoderer · · Score: 1

      So what?

      When you can collect that much data that quickly it has very little value.

      Even if all the data were compromised and all the CC/Acct numbers changed before the harvester could use it, the only thing truly lost is the opportunity costs involved in gathering the data itself.

      It just makes no sense to spend time securing the data and coming up with an authentication mechanism (After all, this server needs to accept uploaded data from their botnet.)

      That time would be better spent just creating more systems to harvest more data.

    23. Re:Why would they need basic auth? by encoderer · · Score: 1

      But that's honestly a little naive.

      It's like the guy that steals your mail to get your account numbers. Do you think he shreds those when he's done with it?

      The cost of data-loss to these criminals is so low to nearly be non-existent.

      It's simple threat assessment / risk analysis.

    24. Re:Why would they need basic auth? by encoderer · · Score: 1

      Sure. But that's not a likely scenario.

      What's likely is that if you were to steal a credit card number, you'd also steal 20 others that day, and 20 more the next, and so on.

      And all of a sudden the value of a given CC is almost zero.

      A more apt analogy would be like a bank robber stealing $100,000 and fretting over each $100 bill. If YOU dropped $500 finding it would be your #1 priority. The same could not be said of that bank robber.

    25. Re:Why would they need basic auth? by Opportunist · · Score: 1

      It's been widely known in security circles. It's even been a panel on last years VB conference, and the discussion and exchange of data within security circles had a peak time a few months ago. But there has been little communication to the outside, simply because of the reasons I outlined before.

      It's not secrecy. This isn't some top secrety conspiracy bullshit. It's simply a matter of making your work no harder than entirely necessary.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    26. Re:Why would they need basic auth? by Missing_dc · · Score: 1

      I seem to recall different rootkits disabling each other, around the time that mytob was released (may have been related to mytob)

      --
      How amazed would you be to suddenly find that you just forgot what I wrote and you needed to reread my post.... again.
    27. Re:Why would they need basic auth? by mikael · · Score: 1

      You mean this one? Police arrest man removing money from pond?

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    28. Re:Why would they need basic auth? by Anonymous Coward · · Score: 0

      Well, look at it this way. They found this server. Thats proof positive the guy is a script kiddy, not a true net rogue.

      I've been involved in a couple efforts to track down attack vectors that my network was experiencing. We even had the FBI and some other group of suites (no names, no badges, you tell me) working with us, and we got NOWHERE.

      Sure, we back traced the DDOS to a couple thousand machines. But we never found the command server, or any links to the organizing group behind it.

      The FBI told us "don't worry, it was probably just some kids goofing off, it's not like they targeted you personally".

      Right, so the 4 days where our net connection was flooded and our server left on a semi-permanent smoke break, that was just kids messing around?

      WTF?

    29. Re:Why would they need basic auth? by phoenixwade · · Score: 1

      So what?

      When you can collect that much data that quickly it has very little value. What do you base that assertion on? I can't, in my experience, correlate the value of data to the time it takes to acquire it.

      What's more, I suspect that the fact that all that data was harvested implies value.
      --
      A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort.
    30. Re:Why would they need basic auth? by morgan_greywolf · · Score: 1

      It's been widely known in security circles. It's even been a panel on last years VB conference
      Wait!! They discuss security at a Visual Basic developer's conference?

      Anyone who doesn't see the humor and irony in that isn't look very hard.
      --
      My blog
    31. Re:Why would they need basic auth? by Anonymous Coward · · Score: 0

      voiding a mod point

    32. Re:Why would they need basic auth? by dintech · · Score: 1

      No, not that one. That's my country you bastard. :) I'm not joking.

    33. Re:Why would they need basic auth? by Opportunist · · Score: 1

      VB can mean more than just Visual Basic...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    34. Re:Why would they need basic auth? by encoderer · · Score: 1

      Is your experience in using a botnet to harvest personal data from users?

      Because in this particular case, the value of the data is nothing more than its sunk cost + opportunity cost.

      It was collected so quickly, that those are both low.

      If you can get 100 more CC numbers and bank accounts in a day/week/whatev the value of the data is less.

      Kinda like how if you make $120 an hour you can justify spending $4 on a cup of coffee where you really can't if you're out there making $6.50 an hour.

      So there you go, now re-correlate.

  2. WTF by ColdWetDog · · Score: 3, Interesting

    The person that operated this server had no clue on security, he had no clue about how to configure a Web server. He just took a ... toolkit and started to use it and in three weeks he managed to have this fortune, this treasure on his server."

    I know it's just a rehash of a press release, likely taken out of context from what was originally said, but - WTF?

    I don't think that malware is so advanced that all you have to do is "use a toolkit" and poof - magically financial and personal data will just show up on the hard drive. Maybe the guy's server was pawned - he is at least acting like he doesn't know what he is doing, but come on.

    If it's that easy, I'm gonna try it....

    --
    Faster! Faster! Faster would be better!
    1. Re:WTF by Bryansix · · Score: 4, Funny

      If it's that easy, I'm gonna try it....
      I'll make sure to alert the authorities.
    2. Re:WTF by epiphyte42 · · Score: 3, Insightful

      I know it's just a rehash of a press release, likely taken out of context from what was originally said, but - WTF?

      If it's that easy, I'm gonna try it....

      Did you consider the fact that the stuff that does all the hard work is actually .... software?! In other words, if some black hat makes a nice package with a decent installer and good documentation it could well be that it is less complicated to setup such a server then, say, setting up a decent webserver. The app in question would then do something like: 1: look for vulnerable pc's 2: infiltrate weak ones with preprogrammed stuff 3: send data back to simple integrated webserver 4: goto 1 The components at 2 could even fit into a nice plugin architecture to enable other black hats to extend the functionality. Yes, this stuff exists and yes, this stuff is easy to use.
    3. Re:WTF by infonography · · Score: 1

      If it's that easy, I'm gonna try it....


      I'll make sure to alert the authorities. They will be expecting the usual payment.

      I kind of was kidding when I started this joke, but I think it isn't really that much of a joke considering status they found that server in. It may well have been a gift of junk data, stuff they couldn't use anyway. If you can write malware and don't lock the server it goes to you are doing that for a reason not in error.

      I not only look gift horses in the mouth I do DNA testing.
      --
      Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
    4. Re:WTF by commodoresloat · · Score: 4, Funny

      Maybe the guy's server was pawned Why would you take a server with all that valuable data to a pawn shop?
    5. Re:WTF by penguinbrat · · Score: 1

      In my day to day administration duties of your average admin maintaining your average server, the exploit scripts that attack Linux boxen are either on autopilot or obtaining the search parameters remotely - if searching for exploits from a static/dynamic list is successful, it's not that far of a leap to imagine a list of parameters to search for valuable data.

      The stuff I see sometimes in /tmp, will never cease to amaze me.

    6. Re:WTF by DogDude · · Score: 2, Interesting

      I don't think that malware is so advanced that all you have to do is "use a toolkit" and poof - magically financial and personal data will just show up on the hard drive.

      Actually, it IS that easy. Tools like that have existed for years. Anybody with malicious intent and even a basic understanding of computers can easily run their own bot-net. Really. Literally a few button clicks, and the data is yours.

      --
      I don't respond to AC's.
    7. Re:WTF by WK2 · · Score: 1

      If it's that easy, I'm gonna try it.... I'll make sure to alert the authorities.

      Bryansix, what part of this sounds like we should involve the authorities?

      --
      Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
    8. Re:WTF by darkfire5252 · · Score: 1

      Oblig. mention of the Metasploit project.

    9. Re:WTF by Anonymous Coward · · Score: 0

      If it's that easy, I'm gonna try it....

      The closer we get to 2010, the more it looks like the Uplink Corporation was for real.

    10. Re:WTF by New_Age_Reform_Act · · Score: 0, Redundant

      probably he want to say "pwned" instead of "pawned". Big difference here.

      --
      "The New Age. The New Beginning."
    11. Re:WTF by Anonymous Coward · · Score: 0

      Whooooooosh.

    12. Re:WTF by Bryansix · · Score: 1

      Wooosh!

    13. Re:WTF by WK2 · · Score: 1

      Haha. The wooosh was over your head. It's a (slightly modified) Malcolm in the Middle quote.

      --
      Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
    14. Re:WTF by eclectro · · Score: 1

      So he could pawn all the other servers at the pawn shop?

      --
      Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
  3. So you have to a CISSP to run a script now? by mungmaster2000 · · Score: 5, Insightful

    "The server was not secure at all. It indicates that these people that are doing the crime today, they are not security experts, they are not computer science experts." Uhhh....So someone knocks over a liquor store with a 9 mm. Does that mean that he's a gunsmith or a sharpshooter, or skilled in advanced war-fighting techniques of some kind? No...Chances are he's a just a guy with a gun. People use whatever they can to take what they want. Film at eleven.

    1. Re:So you have to a CISSP to run a script now? by moderatorrater · · Score: 4, Informative

      People use whatever they can to take what they want. Film at eleven. The news is that this stuff is now as easy to use as a 9mm.
    2. Re:So you have to a CISSP to run a script now? by ShawnDoc · · Score: 1

      But its honestly not that much harder. Plenty of trojan programs out there that are pretty much ready to go.

    3. Re:So you have to a CISSP to run a script now? by Kamokazi · · Score: 0, Troll

      A 9mm is easy???

      You realize that those things have SAFETY SWITCHES?!?!

      What are you supposed to do with that thing? I'm no gun expert....does the orange dot mean it's on or off?!?! And does on mean the gun is on or the safetey is on? Ahhh!!! I really don't want that kind of confusion in a deadly weapon! I'll stick with a sword. No buttons, switches, or triggers. Pointy end goes into human. Done.

      --
      As our way of thanking you for your positive contributions to Slashdot, you are eligible to disable Slashdot 2.0.
    4. Re:So you have to a CISSP to run a script now? by moderatorrater · · Score: 1

      I really don't want that kind of confusion in a deadly weapon! I'll stick with a sword. No buttons, switches, or triggers. Pointy end goes into human. Done. So, how's your program written in BASIC coming?
    5. Re:So you have to a CISSP to run a script now? by Lobster+Quadrille · · Score: 1

      a 9 is point and click, but it doesn't have a nice gui like metasploit does.

      --
      "The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
  4. Re:Where do you think the data came from by dedazo · · Score: 0, Offtopic

    No, it comes from people who use Microsoft products and can't be bothered to patch their systems, or in the best of cases are dumb enough to install that REALLY SUPER COOL SCREENSAVER!!!! that britaney3345@zuppahfiles.cc was kind enough to send to them.

    --
    Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  5. Bid #4325 by d3l33t · · Score: 1

    5 dollars, do i hear 5 dollars

  6. Turkey? by solweil · · Score: 1

    Why is Turkey at the top? I had not heard before that Turkey is a haven for unpatched machines. Maybe mainly a local or Kurdish crimeserver?

    1. Re:Turkey? by djdavetrouble · · Score: 1

      Maybe that was one of the first IP blocks scanned and rewted..

      --
      music lover since 1969
  7. Security company finds unsecure server by Whuffo · · Score: 5, Insightful
    Must be a slow news day for this kind of astroturf to bubble to the top. Notice how carefully they count how many people in each country had their data stolen and stored on this server. Also notice how many of those people these security folks notified of the data breach. Yup, exactly zero.

    So they're not trying to help at all. What they're trying to do is sell their services and using this pseudo-news article to do it. Shame on them.

    1. Re:Security company finds unsecure server by Frosty+Piss · · Score: 1

      Must be a slow news day for this kind of astroturf to bubble to the top.
      If you pay attention, you'll see that about 60% of "stories" on Slashdot fit the Astro Turf profile.

      News flash, oh SlashDrones, Slashdot is like Google, a commercial money-making business . WORD...

      --
      If you want news from today, you have to come back tomorrow.
    2. Re:Security company finds unsecure server by TubeSteak · · Score: 2, Insightful

      Also notice how many of those people these security folks notified of the data breach. Yup, exactly zero. What are the odds that one of "those people" would sue the security firm?
      Even white hats have to deal with the PHB who wants to blame you for their problem.
      --
      [Fuck Beta]
      o0t!
    3. Re:Security company finds unsecure server by camperslo · · Score: 4, Informative

      Notice how carefully they count how many people in each country had their data stolen and stored on this server. Also notice how many of those people these security folks notified of the data breach. Yup, exactly zero.

      People may not have been contacted directly, but those in a good position to quickly mitigate damage were notified:

      "Finjan Inc said it had notified the U.S. Federal Bureau of Investigation, police in various countries and more than 40 financial institutions in the United States, Europe and India about the discovery of the so-called "crimeserver".

      So they're not trying to help at all. What they're trying to do is sell their services and using this pseudo-news article to do it.

      Do you actually have any evidence of this? What were they trying to sell to who?
      I would expect a press-release type of promotional piece to have more information about the services the company offers.

    4. Re:Security company finds unsecure server by Antique+Geekmeister · · Score: 1

      It should really be handled by the Secret Service: they're responsible for wire fraud, as the law enforcement arm of the Department of the Treasury. They've shown little signn over the years of being competent at managing computer crime, but it is their job.

  8. 1downmillionstogo by Anonymous Coward · · Score: 0

    Please tag with "1downmillionstogo". A single server with 1.4GB of data is hardly newsworthy. Unless this "crimeserver" also contains the missing Whitehouse emails... in which case my only question is whether the torrent has been released yet.

  9. Re:Where do you think the data came from by antic · · Score: 4, Funny

    Can you at least obfuscate my email address if you're going to be so rude as to post it publically? Plus the screensaver was really quite super cool.

    --
    'Thats they exact same thing a banana wrench monkey.'
  10. HoneyPot by camperdave · · Score: 2, Insightful

    Oddly enough, the data was stored in the open, with not even basic auth to protect it.

    Sounds like they found a honeypot or a decoy to me. Now that the bad guys know that the good guys are on to them, they can disappear into the ether for a while until the heat dies down.

    --
    When our name is on the back of your car, we're behind you all the way!
    1. Re:HoneyPot by Lumpy · · Score: 4, Interesting

      Actually that's called a tripwire. Back in the 80's when I knew some hackers really well I helped set up several tripwires. They went hand in hand with modem hop points. You Social engineer into an office building, best is a multi business place. get to the phone room and fine a couple of demarc boxes that are old and gut them. Install a pair of modems back to back and you can hop from one phone line to another to mask your call if it's traced.

      to make a tripwire you add in a second box like that, have your outgoing line go into and out of the box, install a isolation relay or switch that when the box is opened it dumps 120VAC into the phone lines This typically smokes a modem hard making it impossible for them to recover any info inside it. (mostly designed to piss off the feds/cops) but it disables the modem and the line tipping you off that that relay has been compromised.

      worked well, One "friend" had 5 of his relays compromised in one night, tipping him off that something big was happening and he laid low for a while.

      --
      Do not look at laser with remaining good eye.
    2. Re:HoneyPot by Antique+Geekmeister · · Score: 1

      What relay did you use? The ones that handle 120V reliably tend to be rather expensive.

    3. Re:HoneyPot by ei4anb · · Score: 1
      120V into a modem would just make the opto-isolator pop like pop-corn but it probably would not damage the rest of the electronics (I have worked on modem design).

      The most likely result would be to add "intent to do bodily harm" to the charge sheet, or worse if the telephone company technician was following the wires when someone opened the box :-(

    4. Re:HoneyPot by Dr_Barnowl · · Score: 1

      They don't need to handle it reliably ; just long enough to fritz the delicate sensitive electronics in a modem.

    5. Re:HoneyPot by Anonymous Coward · · Score: 3, Insightful

      First telephone wires carry over 90VAC on them all the time.

      Second 24Ga wire cant carry any current it smokes out right away.

      Thirdly it does in FACT smoke the modems that were made back in the 80's and early 90's Hayes and USR modems back then could be eaten alive easily by 120VAC at any strength inot the phone port, better would be to also run a pair of wires to the modem's power supply side as well.

      Fourthly it also pop's the Telco gear at the Switching station dropping the line off so when you call it it does not ring. A very clever way of setting a tripwire.

      Remember back in the 80's the police and judges were not a corrupt as now. They did not throw in extra added bullshit for fun. Now the scumbag fuckers will add all kind of charges just to show you who owns the populace.

    6. Re:HoneyPot by Anonymous Coward · · Score: 0

      Oh so you are one of those 2600 reading ankle biters that makes people think you are a Uber Hax0r?

      how cute. Do you wear all black and bondage pants as well. OHH are skateboards still in for you posers or did you switch to pipmped out mopeds?

      You little wanna-be's always made me laugh. Trying to act all cool and leet. you always screw up your bragging and mess up a term or two... I always giggle at you wankers.

      Cute how you wannabe's dont know what a honeypot is.

    7. Re:HoneyPot by camperdave · · Score: 1

      What relay did you use? The ones that handle 120V reliably tend to be rather expensive.

      You can get such relays for about six bucks, and if you shop around, I'm sure you could get them cheaper.

      --
      When our name is on the back of your car, we're behind you all the way!
    8. Re:HoneyPot by petermgreen · · Score: 1

      I would think that they would still be able to tell which phone lines the modems were wired to which is all they really need to know to trace the calls through them.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  11. Re:So you have to a CISSP to run a script now? I'm by davidsyes · · Score: 1, Troll

    Waiting for the headline:

    "Thief robs liquor store in 255 lines of Haiku; no weapons involved. Story at 11."

    --
    Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
  12. Unprotected maybe for a reason: by Fluffeh · · Score: 4, Insightful

    Perhaps this data was intentionally left out in the open by whoever had it first?

    If you think about it, if you just hacked into a users pc and nicked something (credit card info, passwords, whatever) and used them quietly to some degree, wouldn't you WANT someone else to use them, perhaps not so quietly? I mean, you want a fall guy right? Let the next script kiddie run through and take the fall. With a bit of luck, they will pin all the activity on the new guy rather than the guy who carefully used this once, then let the information loose on the masses.

    It's not "accidentally" or "stupidly" left unprotected, it's a perfect smoke screen to cover tracks if you ask me.

    --
    Moved to http://soylentnews.org/. You are invited to join us too!
  13. Screen Saver... by Belial6 · · Score: 3, Interesting

    Is there any legitimate reason that screen savers in every single OS should not be 100% sandboxed? Is there even one OS that does sandbox the screen savers? Heck, there are not even that many screen savers that have a use for network access. You should have to explicitly authorize your sandboxed screen saver to have network access. As far as I know, every single OS is guilty of this security hole.

    1. Re:Screen Saver... by WaltBusterkeys · · Score: 1

      I can think of plenty of reasons why a legitimate screensaver would want Internet access. There are plenty of screensavers that use Flickr or other photo sites as source images. Others put up ambient environmental data, such as cloud maps or weather. And others put up sports info. People use their screensavers for entertainment, not just prevention of burn-in.

      The screensaver should be subject to the same HIGH security standards as everything else. There's no reason to give it more or less permission.

    2. Re:Screen Saver... by Anonymous Coward · · Score: 0

      That would be fine if the file was actually a screen saver. However, it's more likely the file just says it's a screen saver and is really the malware executable that then installs a random screen saver to try and avoid suspicion.

      Most users won't know or care enough to check if a file they download is actually what it says.

    3. Re:Screen Saver... by freyyr890 · · Score: 1

      In Windows, a screensaver is just an executable with its extension changed to .scr

    4. Re:Screen Saver... by The+MAZZTer · · Score: 1

      Your solution wouldn't fix the problem. The "screen saver"'s "installer" can easily be the source of the virus or trojan or whatever instead of the actual "screen saver". And installers are expected to have to run with elevated privileges (especially in Vista since Program Files can't be written to without them).

    5. Re:Screen Saver... by Belial6 · · Score: 1

      What are you talking about? There is no excuse for a screen saver to have an installer. It makes no more sense than having an installer for the text document that you just downloaded, or for a jpg picture that you just downloaded. So, there are no excuses for running anything to do with a screen saver outside of a sandbox.

    6. Re:Screen Saver... by shentino · · Score: 1

      Well so much for the "ping" radar...

    7. Re:Screen Saver... by petermgreen · · Score: 1

      While the internet existed in the 3.x/early 9x era it was nowhere near as popular as it is now and it was also nowhere near as malware infested.

      And changing it now wouldn't solve much, users are used to running installers for screensavers and would continue to do so even if the screensavers themselves were forced to change to a bytecode format.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    8. Re:Screen Saver... by Belial6 · · Score: 1

      First, there is no excuse for every other OS. Both Mac and Linux should have taken care of the this issue. Second, The fact that Windows was originally built pre popular internet, is no excuse for MS leaving this huge gaping security hole. If they can add UAC to Windows, they certainly could sandbox the screen saver. Most people understand that there is no legitimate reason to distribute a picture as an executable. Those that don't, you can tell them in no uncertain terms that any picture being distributed as an executable is malware. There is no excuse for Microsoft (or any other OS) to leave in place a part of their OS that makes malware and legitimate software look the same.

      Heck, there have been a few times where I wanted to install a screen saver, but didn't because the likelihood that it could contain malware. If the OS was designed properly, I could have gone ahead and installed the screen saver knowing that it was going to run inside of a sandbox. Seriously, saying that a security hole should be left in an OS that was released in 2007 because that is the way it was in back in the early 90's is pretty silly.

  14. Bullshit by Anonymous Coward · · Score: 0

    I think it's another "security" firm trying to make a name for itself..

    See also: Storm "security" firms making wild exaggerations and this company selling products in the story itself..

    5k "unique" logs isn't much of a "crimeserver" to me. Sounds like a script kiddie with a working toolkit, but if it contained 50k, 500k or 1 million unique hits, I would call it a crime server.

  15. PRESS WHORES by mambosauce · · Score: 1

    these guys are such press whores. you can google to find a ton of open drop sites like this. the fact that they bothered making ridiculous statistics and press release on something so common just shows how pathetic they are

  16. Spelled: Finjan by thebigo195 · · Score: 1

    The correct spelling is Finjan (not Finjin). The word means a small metal container in which Israelis (and Arabs) cook their coffee.

    1. Re:Spelled: Finjan by the+brown+guy · · Score: 1

      since we're getting technical, I am assuming you mean, in which they brew their coffee.

      --
      Orbis terrarum est non altus satis
    2. Re:Spelled: Finjan by ColdWetDog · · Score: 1

      since we're getting technical, I am assuming you mean, in which they brew their coffee.

      Ever had Arabic coffee? "Cook" is a more appropriate term.

      --
      Faster! Faster! Faster would be better!
  17. Re:Where do you think the data came from by Anonymous Coward · · Score: 0

    I'm too lazy to log in, but Microsoft products aren't the only thing vulnerable to such exploits. Linux "n00bs" don't know how to properly secure their boxes. Especially the "n00b" Ubuntu/Knoppix/Morphix users. They think just because it's Linux, it is secure out of the box, when in reality it just gives off a false sense of security. I'm not singling Ubuntu out, but it is the most easily recognized distro, and when most non-tech-savvy people hear "Linux", they think "Ubuntu" so that's why I used it in my analogy. If you even want to call it that.

    Yeah, I know it's somewhat off-topic but just blaming Microsoft and Microsoft alone gets on my nerves.

  18. Yep by Cryacin · · Score: 2, Funny

    The news is that this stuff is now as easy to use as a 9mm. Yep - Standard point and click interface.
    --
    Science advances one funeral at a time- Max Planck
    1. Re:Yep by NeoSkandranon · · Score: 1

      If it just goes click you may be in trouble...

      --
      If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
  19. Maybe our "crimeserver" is really a "harvester?" by yuna49 · · Score: 4, Insightful

    Unless the criminal is a complete idiot there's more than one drop spot...

    Indeed. If I were writing botnet software I'd distribute multiple copies of the collected data across a number of the compromised computers. The press release and article abstract indicate that the botnet control programs and the data were located in the same place. That doesn't seem like a particularly good architecture for this type of system. I'd keep the command programs far away from the harvested data. My hunch is that the data aren't that valuable as I outline below.

    I can accept that buying, installing and running a botnet could be as easy as installing an RPM. What appears more disturbing is the reported "timeframe of less than a month" to harvest over 5,000 records. But what kind of records are these? Finjan tells us that the data "consisted of 5,388 unique log files [my emphasis]. Both email communications and web-related data were among them."

    They go on to list some specific examples:

    Compromised patient data
    Compromised bank customer data
    Business-related email communications
    Captured Outlook accounts containing email communication

    I'd be curious to see how much actual "patient" or "bank customer" data is revealed in "log files." /var/log/maillog on my servers would certainly reveal "business-related email communications" in the sense of senders and recipients. Mail logs might also contain some entries for mail between providers and patients or between banks and their customers. Apache logs wouldn't be so useful, though they do contain the usernames when Basic Authentication is used. But none of those logs would reveal much about the content of those communications. I don't know anything about Outlook so I have no idea how its logs might reveal "captured Outlook accounts containing email communication."

    Still if all they got after a month were logs, I'm not sure how valuable they would be unless the goal was harvesting addresses for spamming or phishing. Capturing the logs of compromised mail servers would certainly yield a pretty high proportion of legitimate addresses, especially recipient addresses. This method seems especially attractive if you're trying to identify targets for "spear-phishing." If you can compromise some corporate mail servers, you can build up a nice list to "spear."

    So I'm guessing Finjan found a machine containing some 5,600 mail server "log files" totalling 1.4 GB. Since the logs are worthless once the addresses are harvested, protecting them isn't much of a priority. I suppose competitive spammers might want to keep these potentially higher-yielding names to themselves, but given the volumes at which spammers operate, they probably don't care.

    I think I'll go take a look at my mail servers now just to ease my mind.

  20. drugs on the table by sixpenny_83 · · Score: 1

    1 hard drive doesn't make for a very impressive visual aid.

  21. safety in numbers by Bronster · · Score: 1

    this huge trove of data gathered over a short period of time indicates that the crimeware problem is far larger than most observers have been assuming.

    Maybe so - but conversely they may not be able to use all of it (at least for time-limited things like credit cards) before it's expired, making me happy that they have lots of data, because when (not if) my data gets stolen from somewhere, I'm less likely to be one of those exploited. Whee.

  22. Old news by simplypeachy · · Score: 1

    Gee what gripping news of cutting-edge malware research; I found one of these, of similar size, two years ago. The FTP credentials were in plain text in a config file dropped by the malware. It was childs play getting in and getting enough info for authorities to do something about it. Shortly after that it disappeared. It was created by stupid people who were playing with things they didn't really understand, although I'm sure they understood the $$$. I remember thinking at the time "this would be cool if it wasn't so boringly easy". How wrong I was! Should have cranked up the PR machine and posted it to slashdot!

  23. Yes and that is just insane by dreamchaser · · Score: 2, Interesting

    I never understood why they didn't put in some sort of interpreter and make SCR files some kind of bytecode that can only display graphics data. SCR files are a HUGE vector of malware infection because of the absolutely insane design they used.

    Just to short cut the 'Screensavers need network access! I want my Flickr photos to display...or my Weather data to display', etc., IT IS A SCREEN SAVER. It's purpose is to secure and protect your computer and screen when you aren't using it. WTF are you doing sitting there staring at your screensaver? Good pot?

  24. Unprotected Data == Deniable Data by giafly · · Score: 1

    Oddly enough, the data was stored in the open, with not even basic auth to protect it
    I'd do this if I wanted to frame the server owner, or if I were the server owner and planned to deny everything and claim it was a plot to frame me.
    --
    Reduce, reuse, cycle
  25. Re:Maybe our "crimeserver" is really a "harvester? by hesaigo999ca · · Score: 1

    I agree, and also believe that any true malware writer will also incorporate
    p2p torrent download technology so that a file of 1.4 gb. can be shared by all
    child nodes within a network if so chose to ...and the download time would be minimal.

    Therefor, a botnet with 1000 pcs...could easily host a few hundred copies...

  26. Re:Where do you think the data came from by mikael · · Score: 1

    The vmslice.c exploit was the most impressive that I have seen. Instant root access from a little executable.

    --
    Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  27. Re:Maybe our "crimeserver" is really a "harvester? by warkda+rrior · · Score: 1

    I'd be curious to see how much actual "patient" or "bank customer" data is revealed in "log files." /var/log/maillog on my servers would certainly reveal "business-related email communications" in the sense of senders and recipients. Mail logs might also contain some entries for mail between providers and patients or between banks and their customers. Apache logs wouldn't be so useful, though they do contain the usernames when Basic Authentication is used. But none of those logs would reveal much about the content of those communications. I don't know anything about Outlook so I have no idea how its logs might reveal "captured Outlook accounts containing email communication."

    You are assuming that the discovered log files are logs copied verbatim from the victim machines. It is more likely that these are logs of collected data (e.g., keystrokes, mouse clicks, screen snapshots, actual emails) captured using spyware or keyloggers.

    If that is the case (and the story does not make it clear), then such logs certainly contain credentials and other identifying information to allow anyone to access bank accounts, private patient data, and so on.

    --
    You need to install an RTFM interface.
  28. Cool! A Minnie Driver / Anne Hathaway love scene! by Impy+the+Impiuos+Imp · · Score: 1

    > a server found by security firm Finjin that contained a 1.4-GB cache of
    > stolen data, accumulated over a period of less than a month from
    > compromised PCs around the world. The "crimeserver," as Finjin dubs it,
    > "provided command and control functions for malware attacks in addition
    > to being a drop site for data harvested from compromised computers..."

    Fucking Morpheus! Can't the feds ever stop this guy?!?!?

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  29. Was your data compromised? by Chapter80 · · Score: 1
    As a service to fellow Slashdot readers, I'm more than happy to report back and let you know if your personal or financial information has been compromised.

    Simply give me as many search terms as you can think of, and I'll let you know. Examples: Your name. SSN. Bank Account Routing and Transit numbers. Mother's Maiden Name. Any other search terms that you want me to search for.

  30. Re:Maybe our "crimeserver" is really a "harvester? by CodeMaster · · Score: 1

    Actually, the log files refer to the logs sent by infected machines. These logs contain keylogged data that correspond to forms posted through IE and Firefox, as well as "datastore" information (credentials cached by IE, Outlook, and FFox).
    This means that the 1.4Gb of data, while containing some less useful information, is much more valuable than you have indicated above...
    Having said that, and realizing that this data is not just a mail/http log file, one can really start to grasp the true meaning of such a criminally operated server.

  31. Crimeserver? by Anonymous Coward · · Score: 0

    how do i got crimeserver?