Slashdot Mirror
Malaysian Indicted After Hacking Federal Reserve
wiredmikey sends along a security story that looks like it could be one to watch. Lin Mun Poo was arrested shortly after arriving at New York's John F. Kennedy International Airport in late October, traveling to the US on business. The 32-year-old resident of Malaysia was observed by an undercover Secret Service agent selling stolen credit card data in a diner. After arresting him and seizing his laptop (which was "heavily encrypted"), authorities discovered evidence of far more serious security breaches. According to documents from the Department of Justice, Lin Mun Poo had hacked into the Federal Reserve Bank of Cleveland and stolen over 400,000 credit and debit card numbers. Also, according to authorities, Mr. Poo managed to hack into FedComp, a data processor for federal credit unions, enabling him to access the data of various federal credit unions. He also hacked into the computer system of a Department of Defense contractor that provides systems management for military transport and other military operations, potentially compromising highly sensitive military logistics information.
He stole stolen credit card numbers? They ended up being twice stolen? And why was the Federal Reserve Bank harboring stolen numbers anyway?
...Lin Min was always so much more misbehaved than his brother, Hu Flung Poo?
He who knows best knows how little he knows. - Thomas Jefferson
Why are these things even connected to the internet if there is the danger of cracking them?
"Is that real poncho or a Sears poncho?" ~~FZ
"Lin Min Poo had hacked into the Federal Reserve Bank of Cleveland and stolen over 400,000 stolen credit and debit card numbers."
You know that's not the plan.
Obligatory XKCD
http://xkcd.com/538/
According to early data security research performed by KGB, thermorectal cryptoanalysis (involving a penetration test with soldering iron) can reveal encryption keys of any length within a couple of minutes.
I feel like it's an episode of South Park - hey there, Mr. Poo.
From TFA:
"To have the skills to break into highly sensitive systems like that is an impressive level of criminal activity," said Kurt Baumgartner, a senior security researcher for Kaspersky Lab, a computer security firm.
- yeah, I bet it takes impressive level of criminal activity consisting of some 'LOL Cat' or maybe a 'Hot Malaysian Massage' screen saver and off the shelf 'back-orifice' of some sort.
But anyway, what did this guy do that the Fed isn't doing anyway?
traveling to the US on business
- that right there is a punishable offense, well at the very least your 'junk' may have to be touched.
The 32 year-old resident of Malaysia was observed by an undercover Secret Service agent
- they are making it sound much dirtier than it was.
selling stolen credit card data in a diner
- stay classy Mr. Poo. At a diner?
Why can't you be more respectable and do it like the Fed does, they sell their junk bonds on the bond market, with bells and whistles.
After arresting him and seizing his laptop (which was "heavily encrypted")
- with ROT13
authorities discovered evidence
- as I said, with ROT13.
Lin Min Poo had hacked into the Federal Reserve Bank of Cleveland and stolen over 400,000 stolen credit and debit card numbers.
- BASTARD! How dare he steal the STOLEN credit card numbers? Fed was just going to sell them themselves at a diner.
Also, according to authorities, Mr. Poo managed to hack into FedComp, a data processor for federal credit unions, enabling him to access the data of various federal credit union.
- various 'credit union'. Yeah, that one credit union is extremely 'various' indeed.
He also hacked into computer system of a Department of Defense contractor that provides systems management for military transport and other military operations, potentially compromising highly sensitive military logistics information.
- well, in his defense, he was just going to sell that highly classified systems management information at a better restaurant, he has SOME standards.
"If a guy from Malaysia can get into networks like this, you can imagine what the Chinese and Russians, the people with real capabilities, are able to do
- OMG! Call the Pentagon, they need to check if the database of the stolen mortgage back securities papers hasn't been stolen!
In fact, the penetration of sensitive national security computers by overseas hackers — many of them believed to be state sponsored — is rapidly emerging as one of the country’s most alarming national security threats, officials said. And the threat is not just from foreign governments and for-profit hackers. Officials have also expressed worries that terrorist groups may be capable of the same sorts of sophisticated penetrations.
- clearly, more F35s are needed to stop these attacks. What was that about the Republicans voting to STOP pig, I mean pork spending?
HOW, just HOW will they STOP all that pork spending if there is clearly so much that needs to be done right now, to prevent the terrorists from winning by 'hacking' into the White House and stealing the toilet cleaning schedule?
Pentagon officials said Sunday they were unable to respond immediately to questions about whether Poo's hacking of the contractor's computers had compromised military troop movements. But spokesman Bryan Whitman said in an e-mailed statement to NBC News: "We are keenly aware that our networks are being probed everyday. That's precisely why we have a very robust and layered active defense to protect our networ
You can't handle the truth.
Mr. Poo forgot to 'Wipe' the data off hist laptop.
It kind of is. Can we stop putting things like this under "Your Rights Online"? The person was observed breaking the law in a restaurant, not online, and it sounds like subsequent searches were above the board and revealed some pretty egregious shit. He's also confessed to at least some of the charges.
Does Slashdot have a grouping named "People not yet convicted of breaking the law, but ehhhhhh, it really looks like they did"? Otherwise it looks like we're arguing that people should have a protection against being observed by the Secret Service when there's reasonable suspicion of illegality. This wasn't exactly warrantless wiretapping.
HI, MY NAME IS ISAAC.
It would appear the Mr. Poo, is in some really deep shit now....
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Like being recruited by the NSA or the Cyber command.
It's a Chinese name (there's a large community of Chinese in Malaysia)
Lin is the family name, Mun Poo is the given name.
I think the point was, all races are equally (un)trustworthy.
ELOI, ELOI, LAMA SABACHTHANI!?
"'If a guy from Malaysia can get into networks like this, you can imagine what the Chinese and Russians ... are able to do' "
No racism there, except for extremely expansive gratuitously warped definitions of racism.
There are well-known large hacking rings in Russia and China. It is not difficult to imagine that many hackers working together are obviously a potentially larger threat than one hacker, assuming individuals of comparable skill and knowledge; the conclusions are obvious and have nothing to do with race.
There are some Malaysian hacking rings, but less well known to the public and the popular media.
Even if the more adept hackers happened to be in China, and it was stated, it wouldn't imply anything about race. As there are other factors involved, such as government being involved and promoting hacking, or there being stronger penalties for hackers in a country. The amount of technology available in a country, and the state of its economy and culture also effect such things.
In any event, Racism is defined as using power, for example, force, government authority, business decisions, or threat of violence/harm to promote the superiority of one race or to marginilize another.
Besides race there are a lot of differences between the culture and environment in Malaysia VS Chinese/Russian countries, ability to hide, and access to certain resources.
There is nothing in the article indicating the Malaysian race is somehow inferior, or evil, or that hackers of the Chinese/Russian race are superior, inferior, or more evil, ergo no racism.
Nope, they screwed it up. His family name is "Lin", his given name is "Mun Poo".
However, since he is Malaysian Chinese, things get weirder, Malaysian Chinese may write their name Chinese order "Lin Mun Poo", western order "Mun Poo Lin", without family name "Mun Poo", a single Arabic name e.g. "Muhammad", a single English name or an English name with a Chinese surname e.g. "David Lin". Any one of these might be what is written on this individual's birth certificate.
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
I think the emphasis should be on the "some guy" aspect rather than the "Malaysia" aspect. The fact of the matter is, China and Russia aren't exactly hiding the fact that they have large populations of people who are basically dedicated to computer intrusion, espionage and intelligence gathering, many of whom receive partial or full government support, or are in fact government employees. While we have our own NSA, Russia and China seem to have lots of general citizens who are engaging in such activities for avowed nationalist purposes. I have a somewhat hard time believing that if I started hacking foreign governments and then went down the road here to share what information I may have gleaned that I'd be welcomed with open arms.
Malaysia isn't a country one generally hears about engaging in this type of activity. He could have been from Andora for all it matters, and the message would be the same: if one guy, no matter where he's from, without the support of his own government intelligence agencies, is able to obtain this type of information and access, then malicious state actors should have no trouble doing so. Also, the fact that his access to logistical information wasn't noticed until the course of what started out as a simple criminal investigation by the appropriate authorities (Secret Service being under the authority of the Treasury Department), that's kind of scary. It means that the Russians, Chinese, Iranians, or anyone else might also have had access to that same data and no one was apparently paying any attention, or there are unknown security flaws which were exploited and thus there were no IDS/IPS rules to catch the activity and raise any flags.
This dude is somewhat irrelevant compared to the wider implications of the non-credit-related activities, which are also pretty much straight up crime.
Oh, I suspect that he might very well have been using full-disk encryption, which would meet the definition of 'heavily encrypted'. The lesson to take away here is that it doesn't matter how heavily you encrypt your data if you let your device get captured after you've logged in. From the motion for detention, he made a sale at a diner while being watched by Secret Service agents and got picked up 'shortly thereafter', whatever that means, and if he failed to completely power down his laptop between sale and arrest, it's game over. Lesson for the day: if you're carrying evidence that will destroy your life, remember that closing the lid on your laptop doesn't actually wipe its memory.
As an aside, I also suspect the motive for the phrasing is less 'undermining cryptography' as 'look how awesome we are'. Almost all documents by any law enforcement agency on a major bust puff up how devious and sophisticated the bad guy was, so they can imply that they were even better.
Clearly it means 'If one guy from a "friendly" country can do that, imagine what agents of the "unfriendly" countries can do with the backing provided by the state'.
Seriously, why does the Federal Reserve have consumer credit card numbers? We're not talking about TJ Maxx here: unless I'm mistaken the Federal Reserve only does business with banks, they have nothing to do with ordinary consumers and their silly bits of plastic.
People putting their income tax payments on plastic, maybe? I'm stumped.