Slashdot Mirror
Paying Hacker Extortion
An anonymous reader writes "A friend works as CIO at a medium sized publicly traded company. The company was contacted by a hacking group and told to pay $100,000 to prevent their company from being hacked/attacked. They actually paid the extortion (told authorities after). The authorities said the company could be charged with supporting Terrorists. Seeing that most publicly known hacks are costing companies this size nearly a million dollars, Is this supporting terrorists or supporting stockholders?"
Is this supporting terrorists or supporting stockholders?
1) Neither, it could be a 12 year old with hotmail sending threatening emails.
2) Both, it is another corporate goon protecting his stock options.
3) None, they were paid out in Botcoins.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
That's not an exclusive OR. You can do both.
They'll just be hacked anyway.
Is this supporting terrorists or supporting stockholders?
One in the same...
PayPal? Besides airdropping suitcases full of cash into the ocean, how do corporations pay ransom these days?
Both
How about hiring someone who actually has some idea about security. THAT is supporting stockholders.
Seven puppies were harmed during the making of this post.
It seem's like it is making everyone happy these days.
News agencies are creaming their panties.
Companies get to sweep shit under the rug while their competitors crash and burn. (I bet you Microsoft was heart broken to hear the PSN got hacked.)
Hackers make some money and who knows might eventually get laid.
The Government gets to restrict our freedom's and buy bigger shiny new toys and has even more reasons to keep printing money until it costs more to print it than its worth.
I get the pleasure of changing my password every twenty minutes to something like LKJGDSKLeiojgtqpltjwe4jt]90iejaasdfHippofucknuggets
Everyone WINS!
Paying ransom is almost always a bad idea for the community as a whole. The authorities are simply trying to make the company do the right thing instead of the selfish thing. The biggest problem with security is that the incentives are rarely aligned with the responsibilities; this is a classic case of re-aligning those by pushing the societal cost back to the people who are in a position to make the decision.
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!
-- Rudyard Kipling, from "http://www.poetryloverspage.com/poets/kipling/dane_geld.html"
With the savings your friend could hire some real security experts to keep their systems online.
As for the terrorism bit, it makes me wonder when we can sue members of Reagan Administration for arming the proto-Taliban, Saddam Hussein, and Iran. Clinton and Obama owe us a few bucks for Pakistan too, when they inevitably start arming terrorist in the near future. What's good for the goose is good for the gander, right?
Someone sent them an email? And they think now it will stop? What's more likely is the extortionist will brag to his friends about it and spark a gold rush of extortion emails to this pathetic company. If I were a shareholder I would demand the resignation of the idiot who agreed to this, followed by an investigation into whether he knew the extortionist.
Is this supporting terrorists or supporting stockholders?
"Supporting terrorists" is a stupid description, and the idiot who said that needs a kick in the teeth. However, also stupid was paying these jackasses. Take every precaution you can, get the authorities involved as a backup, maybe even alert your shareholders to the threat, but do not pay extortionist script kiddies.
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
Tell them you will pay them $200,000 if they are willing to pick it up in person.
What's the name of your friend's company?
Am I alone in finding this story incredibly sketchy? Either the company, the poster, and the police are stunning idiots, or it's just bullshit created to inflame a bunch of slashdotters.
If some kind of attribution can't be found, I call BS.
Three Squirrels
Dane-geld
(A.D. 980-1016)
IT IS always a temptation to an armed and agile nation,
To call upon a neighbour and to say:—
“We invaded you last night—we are quite prepared to fight,
Unless you pay us cash to go away.”
And that is called asking for Dane-geld,
And the people who ask it explain
That you’ve only to pay ’em the Dane-geld
And then you’ll get rid of the Dane!
It is always a temptation to a rich and lazy nation,
To puff and look important and to say:—
“Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away.”
And that is called paying the Dane-geld;
But we’ve proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray,
So when you are requested to pay up or be molested,
You will find it better policy to says:—
“We never pay any one Dane-geld,
No matter how trifling the cost,
For the end of that game is oppression and shame,
And the nation that plays it is lost!”
"Are they made from real Girl Scouts?" ~Wednesday Addams
That's as bad as all those people who sent money to Nigeria. Now they'll be making similar demands of every company in America.
You should have told mgt that you'd deliver the cash. Then you take the cash out of the bag, put in some phone books, and deliver that to the extortionists.
When they call up and say "You ripped us off!!" You just say to your boss "They're trying to fuck us again!!" I mean, who are they gonna believe?
What's the hackers going to do to you? Hack your Facebook account and put up gay porn? Say mean and nasty things about you?
1. Find a way to drop the money off in person, or track where it goes.
2. Kill them
3. ??????????
4. profit!!!
My friends sisters uncles niece's boyfriend said... I call bullocks.
Plenty of good business decisions are illegal. For example, many international trading companies would be more profitable if they expanded into the lucrative cocaine transportation markets. That doesn't mean they can legally do so just because it increases dividends! If the hacking group in question here is a designated Foreign Terrorist Organization (yes, there is a list), then giving them money is a federal crime - regardless of the reason for the payment or how much business sense it makes.
I am a geek attorney, but not your geek attorney unless you've already retained me. This is not legal advice.
I have a pet rock by my desk that I was told (when I bought it) it would ward off attacks by hackers. It's been a great purchase, since we haven't been hacked. It cost a lot less than $100k! What a bargain!
But seriously, how many groups of hackers/crackers are out there? How do you know that paying off the group will not actually encourage attacks (since, by paying, you express doubt in your own security)?
The real "Libtards" are the Libertarians!
They shouldn't have paid anything, hired a very experienced security expert on a 3 month contract, save money and increase security.
...government employee or even better an official, then yes it probably is supporting terrorist.
The expression is "one AND the same."
"One in the same" is phonetically similar but semantically stupid and outright incorrect.
I know this comment is off topic and I am a grammar Nazi and so on. Be that as it may, using language stupidly like this does NOT evolve it. People like you dumb our language down and make it worse for everyone.
On second thought, please continue to be thoughtless and use expressions incorrectly like this. Do so on your resume and cover letter, so I won't ever make the mistake of hiring someone as cognitively sloppy as you.
So you say a mid-sized company paid a $100,000 extortion? That money with 'poof', right? Untraceable, right? Call me the suspicious sort but are we sure this is extortion and not embezzlement?
Cheers,
Matt
They bought something for that $100k, namely the hacker document his hack. I'm sure she even did a contentious job for a coked up Belorussian teenager who's english does not extend beyond text speak.
Yeah, sure $100k sounds steep for simply documenting a handful of security bugs, but they were the bugs that might've bitten you for $1M. And surely you saved way more by building your site using cheap ass Visual Basic developers, right?
Anyways, anyone who views hacking as terrorism is a moron, especially the authorities who threatened the company.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
So an anonymous read writes that their friend is CIO at a blah blah blah and you all grant this claim credence?
That's the whole point of "terrorism". You can label anything terrorism, and all of a sudden none of the old rules apply.
Give me Classic Slashdot or give me death!
I think you will find it is illegal to pay extortion money to criminal groups in most parts of the world. Your friend's employer will also now be on a sucker's list of people they will try to get increasingly larger amounts of money out of, so no, this is not supporting the stockholders.
If the gov't required all public companies to disclose all such threats and ban them from giving out money or extortionists (or else get in big trouble), then there would be a bigger financial incentive for companies to not pay extortionists than to pay them, and it will eventually cut out this black market from the start. Eventually, the extortionists would realize they have no leverage with the target companies and just stop - hacking them to send a message to other companies wouldn't accomplish anything. And since they're a public company, they wouldn't have as much of a vested interest in trying to duck the gov't and pay off the criminals. I'd bet that this improves the overall safety of companies. Thoughts?
In debates about Christianity, there are two groups: those looking for answers, and those looking to just ask questions.
They do know this group isn't the only group of hackers out there? This payment only "applies" to the one group, right? There's nothing preventing any other hacker from attacking that network, and assuming the "protected from " hacking group actually knows about a vulnerability at the "protectee" site, there's nothing preventing them from selling that information to other hackers. When a business pays "protection" money to a group of gangsters, at the very least they have some expectation that this particular gang will protect its territory and some other group won't come along and extort money from them as well. There's no expectation of this on the Internet. You're going to be asked to pay this periodically. If you really want to be left alone, you'd have to pay off several groups. For this money, you can buy some expertise and protect yourself.
I've got the same combination on my luggage.
No OS on the planet can protect itself from a user with the admin password. - Yvan256
If I recall, anyone who brings any form of material compensation (goods or supplies) to an organization that is a terrorist organization or supports a terrorist organization is in turn guilty of supporting a terrorist organization. What the US Government is trying to do is make it illegal to directly or indirectly support any organization they deem 'terrorist', with the original intent of cutting down the 'money pushers' - the people who procure funding under false pretense and transfer it to entities hostile to the US Government. Since many criminal organizations will have ties with organizations that either directly or indirectly support 'terrorist organizations', the US Government is probably fairly confident that they could draw a line of connection and thus find the company guilty. After all, $100k is a significant amount of money. [As to the post stating that this is BS post, it may be - but it does not change the thought-exercise component of this exercise... think about it: if the Red Cross provides humanitarian aid to members of a terrorist organization and you have donated to Red Cross, then you are guilty also. Welcome to the new USA - a little less liberty for a little more security.]
If you pay a ransom it only encourages you to be hit again and again. At least if you bring in the authorities first then pay the ransom they money can be tracked though all the banks if they say it's a good idea, but they'll probably say the same thing that it's a bad idea. Chikita banana has been in similar hot water with paying the local warlords their protection money.
Otherwise a bank teller that gives money to a robber that's pointing a gun at them is supporting terrorism.
"is this supporting terrorists or stockholders?"
Both.
---
That's the new line if you do anything that the DOJ doesn't want you to do. OMG wear your seatbelt or the terrorists win!
"The authorities said the company could be charged with supporting Terrorists."
Not likely, and it would ever fly in court unless it could be moved it was intentional set up to launder money.
It's authorities being pissy they weren't called first.
The Kruger Dunning explains most post on
a) i wonder which idio put his/her signature under such a transfer. I presume there was no life in danger, which is the only reason one could think about supporting criminals. Fuck these guys (the crackers and the company). For 100000 dollar i can invest enough time to hack (presumably by social engineering and really simple attacks) into at least 10 companies; and i am not a professional, neither white-hat, nor black-hat.
b) From the formal viewpoint, this looks like corruption. You pay people without any proof that they did something for you for a lot of money. Who keeps some employee from sharing his secrets and getting something back from some friends? Would be too easy!
c) If they have been hacked already and just pay the blackmail money not to see their customer details in the newspaper, then it would be better to be completely honest about it.
d) I dont think it should be considered to be "supporting terrorists", but it could be funding well organized crime.
I couldn't help but notice that you didn't include the name of the company. That might help us answer your question. So, which company is it?
hackers are paid
companies security hole is plugged
No it's not. Willingly and knowingly giving them money is; something this would not qualify as sine they where coerced
The Kruger Dunning explains most post on
Is this supporting terrorists or supporting stockholders? They're the same in my opinion. No regard for people, only there for a "higher" cause which originates from some ideology.
in girum imus nocte et consumimur igni
The cops, who are supposed to protect the victims here, decide to threaten them instead. Who's the terrorist now?
Damn that was easy.
Yes, and the sad fact is if this was all real, and they hadn't paid, and the hacker(s) did do what they claimed, the company could now have a whole mess of broken regulations and such depending on what type of information they were dealing in and what was taken (which may have cost more than $100,000 in fines, lost customers, damage control and repair costs, etc)...
And I still think this story is bogus, or someone is such an incompetent fool and shouldn't be working for that company.
To pay not only encourages them to do it again, but helps finance their next criminal activity.
You have no guarantee other than the word of a criminal and extortionist that they won't do it anyhow, or jack you for more cash next month.
Terrorism?!?! Not unless your system runs life support systems or something. It's amazing what some bozos call terrorism... No, I take that back, they tend to call everything they don't like terrorism, even unpopular ice cream flavors.
Protecting the stockholders. Only in the short term, as in this quarter. Spending that million to fix the systems and keep them more secure is a much better deal. After all, how many times will you pay out that $100k? How long do you think it will stay that low? And what will your customers think about a company that hands big money checks out to every hooligan that sends them a threat?
By the way, now that the criminals know your company is a sucker, you can bet they are just lining up to take potshots at your bank accounts.
I don't know if paying extortionists is illegal there, but it's never a good idea.
A PHB who will pay this want to bet you if send a fake domain or ink bill it will get payed as well.
Why do you think that supporting stockholders isn't also supporting terrorists? I mean, why not pay em $200,000 for them to take down a rival? It's a free market, man.
This is new name for the Toner Scams or the web hosting scam where they just send a bill and it get's pay.
So now that hacking group hacking is a big hot button issue right now all you have to do is just send a letter saying pay up or I will hack you and you don't even need to know how hack in the first place.
Couldn't they just pay a professional security firm, get some load balancers, and call it a day? At least then it would be an investment.
You can label anything terrorism, and all of a sudden none of the old rules apply.
Funny how the USA has seemingly managed to deal with domestic terrorism through the court system and not through waterboarding.
[Fuck Beta]
o0t!
They should have contacted the FBI or equivalent authorities in their country before agreeing to give money to the hackers.
You people have become such pussies since 9/11.
Hacking is not a crime.
Most of the laws put on the books should be *civil* matters not criminal.
The world has become very unfun.
This looks like a made-up story to me. No CIO of a 'medium sized publicly traded company' can be stupid enough to just throw away 100K like that. What is the name of this company ?
Trace the money, off the recipients.
This post is completely fake isn't it?
Unless the company had in the past been hacked and found that it was easier to pay the hacker than to clean up the mess then it makes almost no sense.
Not to mention that if you are running around paying hackers you might need to spend the 100k on network security.
I've worked IT the financial industry for a long time and I've never ever heard of this.
Board of directors would flip out in a publicly traded company if this were true.
So couldn't the same be said of all the shipping companies that routinely pay off Ethiopian pirates who take hostages? Shouldn't they be held liable for supporting terrorist activities?
What would you say if the same company were contacted and told that if it didn't pay $100,000 then the group would detonate bombs in the homes of it's customers and stockholders? Would you then ask if that group was "Terrorists"? Because extortion based on threats of violence (Whether online or physical) is all the same...
Mod parent up for a really excellent Arlo Guthrie reference!
Three Squirrels
This may have been the best business decision they have ever made.
But of course they can't because the hacker probably didn't have enough experience.
If 1000000 per year is the loss taken by a company due to attacks, and 100000 is required to pay off one criminal group for an unspecified time (let's be generous and assume they'll be satisfied for a year), then the company can buy protection from ten such groups for the same cost as not buying any.
There are too many for that to work. Even if the protection racket included a deal where the paid-off crackers actively went after other crackers who targeted the company, it still wouldn't guarantee them anything. It's not as though anyone can be taken to court for breach of contract over this.
And that's not even taking into account that the prices will rise as long as people are willing to pay. It's not economical - going along with extortion never is.
Death to Capitalist Pigs! Long life to Comrade Avakian!
If any act is a closer representation of true piracy, its this rather than downloading software. Its very much akin to the Somali pirates that hold merchant ships hostage for a fraction of their actual worth.
When it is a legal defense at all, "coercion" usually requires much more than was in play here (like imminent threat of death).
These Hacker Extotionist Terrorists are the pirates on the internet. I would like to see these companies get ~that right. I download a file here and there and I'm a ~pirate? That makes me laugh and throw up on someone's Mezlan Hutchins Oxford shoes.
Won't the hackers just keep demanding more and more money?
So if a family member of mine is kidnapped and I pay the ransom, am I supporting terrorists?
"Is this supporting terrorists or supporting stockholders?"
This is delaying the penalty to your stockholders until the next time they come around, while throwing the stockholders of all other companies under the bus by stimulating and funding the attackers.
Never pay the Dane Geld.
Stop-Prism.org: Opt Out of Surveillance
Lesson learned: Never talk to the authorities.
You can't just say "well, they asked me for money and I gave it to them?" Really? So I have to stop saying that the cashier at the grocer is coercing me to give them money in exchange for goods and/or services?
Now the hacker knows two things:
1. Your network is completely insecure, and your Board knows it.
2. Your Board is composed of idiots.
All they've done is open the floodgates.
For future reference, the correct response is to stall while you collect the money, call the FBI, and let them handle it from there.
--- Generation X: The first generation to have SIG lines inferior to their parents... ---
What is their security posture like? (Don't answer here...)
Have they done any security audits or reports internally - even if they haven't, do they have someone in the company who is familiar with the security posture the company has across the board? This could be a person who has it as his formal job, or someone handling network and system operations who is familiar with their setup and had a general interest in security.
That person needs (I think) to have a sit-down with appropriate staff and then with the CIO to discuss what can be done to immediately perform any key hardening and tightening up some defenses. They should also check their system to see that their appropriate configurations are intact and haven't been compromised. There may be limits to what can be done immediately, but this would be the time to tighten up the easiest ways for their networks or systems to be compromised, and eliminate some unnecessary risk. The biggest risk may be if any systems were already compromised.
This company could bring in a consulting firm (and maybe it should), but I'd start by leveraging in-house knowledge and see if they immediately couldn't identify / review where they stand, what current risks exist, and what can be fixed in 24 hours, 48/72 hours, one business week, and longer. For now, the company shouldn't skimp on the overtime pay for these efforts, or at least let the people involved know their efforts are important and will be appreciated, and their efforts will be rewarded in some manner.
Let us know how things work out... Good luck...
-- Sam
i really don't like the "charged with supporting Terrorists" bit, it makes me worry about the repercussions of paying taxes.
Did they write out a check or paid in cash. If they paid in cash, do they have a receipt from the hacking group? How are they accounting for this in their books? Is there a special head called "extortion" in their account books???
If this is the thought management has given to all these accounting issues, forget security issues, they are in financial trouble and this is not a security problem.
How about putting those $100,000 into securing your infrastructure?
Everything that is happening lately is sheer folly. Any real hacker or cracker wouldn't shoot themselves in the foot like this. These are amateurs pretending to be gang members. These are governments and companies posing as hackers to get tougher anti nerd laws passed. You just don't have a anarchist mentality show up overnight like this among people more educated than the average college graduate. You could possibly have it over something like a ten year period with a couple small groups but not like what is happening now. It's disgraceful and the only logical explanation is a campaign for a more controlled and metered internet with less privacy. A 911 to justify controlling the net.
It seems like a better use of $100,000 to pay an organization to hunt down and kill a few hackers in some demonstrably brutal way.
Kind of two birds with one stone - cure for the immediate issue, plus a future prophylactic value.
-Styopa
This seems a lot like the mentality that it is better to pay off the patent trolls rather than fight. But then, patent trolls are court approved [criminals] ;-)
Supporting both? The company will have big loss if they don't pay the hackers which can really do a BIG damage.
Electronic Cigarette Reviews
All your base (ahem Companies) are beloging to us!