Job Seeking Hacker Gets 30 Months In Prison

wiredmikey writes "A hacker who tried to land an IT job at Marriott by hacking into the company's computer systems, and then unwisely extorting the company into hiring him, has been sentenced to 30 months in prison. The hacker started his malicious quest to land a job at Marriott by sending an email to Marriott containing documents taken after hacking into Marriott servers to prove his claim. He then threatened to reveal confidential information he obtained if Marriott did not give him a job in the company's IT department. He was granted a job interview, but little did he know, Marriott worked with the U.S. Secret Service to create a fictitious Marriott employee for use by the Secret Service in an undercover operation to communicate with the hacker. He then was flown in for a face-to-face 'interview' where he admitted more and shared details of how he hacked in. He was then arrested and he pleaded guilty back in November 2011. Marriott claims the incident cost the company between $400,000 and $1 million in salaries, consultant expenses and other costs."

Good

[Viol8]

Blackmail is blackmail whatever method is used to carry it out. Thinking that you're some sort of "lee7" hacker doesn't change the rules. Besides which, this guy comes off as an arrogant moron anyway.

Re:Good

[hrvatska]

The guy is a citizen of Hungary. He did the illegal intrusion and attempted blackmail while in Hungary. He was arrested when he arrived in the US for a 'job interview'. Hungary's economy is more fucked up than the US economy, and they did it all on their own.

Re:Good

[phantomfive]

He still hacked and deserves what he got, but Marriott is just trying to shift the blame of their security flaws so investors don't point the blame at them.

Why do you think this? I couldn't find anything related to it in the article. Do you have some preconceived idea of how companies should act, and then judge them without checking the evidence? That's a serious cognitive bias.

He was able to hack their systems by spear-phishing, sending trojans directly to specific employees. This isn't necessarily a security flaw of the system, but rather lack of training for users (who may not care and may not want to be trained).

Re:Good

[betterunixthanunix]

He was able to hack their systems by spear-phishing, sending trojans directly to specific employees. This isn't necessarily a security flaw of the system, but rather lack of training for users (who may not care and may not want to be trained).

Except that users are part of the system that is being attacked. As Bruce Schneier put it, only amateurs attack machines; professionals target people.

It is true that user training is hard. It is equally true that the system should be resilient to stupid users, just as it should be resilient to malicious users. Spear-phishing and trojans are just a way to get non-malicious users to behave maliciously, and the system should be designed to contain the damage that malicious users can cause. There are a variety of technical measures that can be taken to prevent malicious users from leaking information or otherwise violating the security of the system; a large company should be taking these sorts of measures.

Re:Good

[betterunixthanunix]

I am not going to claim that malicious users can be prevented from doing any damage. All I am saying is that a malicious user's ability to do damage can be restricted in a well designed system. The entire point of MLS systems is to ensure that users cannot leak or alter sensitive information, beyond what is necessary for their job. "Inside jobs" are a problem that has been extensively worked on, and resilience to such attacks is not completely impossible. There are cryptographic approaches to dealing with potentially malicious parties within a given system, which can ensure that security is maintained even if some of the participants are corrupted.

We really do not have to throw our hands in the air and declare spear-phishing to be some kind of ultimate attack that cannot be defended against.

Re:Good

[EdIII]

Seriously?

Not allowing .exe files in emails drive you crazy? Especially when email was never truly designed for file transport in the first place?

Not allowing compressed file attachments that cannot be scanned drives you crazy?

Well tough cookies buddy. If you need to send files back and forth with a user on my network you can go through different channels, and whatever they are, you can bet that the file will be scanned and the user will not be allowed to install software. If you are trying to protect from being scanned or opened, you are already wrong to do so. The user has no basis or justification to need privacy (from the system) when exchanging information across email. Part of the data diode and behavioral analysis I mentioned.

None of what I said prevents normal file transfers needed in the course of business. Just executable files.

I hardly see how that is unreasonable.

If I wanted to go overboard and be unreasonable I would remove PDF attachments.

Re:Good

[Coeurderoy]

Well, mostly he was seriously stupid, he might have got a job if he would have shown the weaknesses, and offered to help them, making sure that if they didn't want him, he would just forget about it, or if they would be interested make at a latter time an intrusion test.
He should also make sure that he can explain how to pull documents out, but not actually do it.
That way he would not have to go to jail... (or at least very much lower the risk of...)

But nobody sane hires a blackmailer without immediately thinking about how to put the idiot in jail...

Re:Good

[EdIII]

With your attitude, you're right. You would not be working for my company.

Very simply that is because I am a very fair and reasonable CTO. When users (which includes you) get out of line and have no justifications for their actions that create liability for the company, when I provide efficient and workable alternatives, they get disciplinary action all the way up to being fired.

The reason why is that I am well respected by the people in my company from top to the bottom. I have always worked well with people to find solutions without endangering the company, or creating a hostile work environment between IT and the users.

You would not fit into our company. You cannot even give me:

1) A good reason why you need to send that type of data in email.
2) A cogent description of your needs for me to find a solution.

How can I begin to help when you refuse? You have no respect for my job, my responsibilities, or a willingness to participate in problem solving or conflict resolution.

You are the weakest link. Good bye.

Cost them $1Million

[Bradmont]

So how much of that $1 million in salaries was spent repairing the security holes, which they should have done anyway?

How someone can be that smart in hacking..

[hcs_$reboot]

..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills.
"I found a security hole in your systems and may help you to improve this, and your systems globally".

Re:How someone can be that smart in hacking..

[artor3]

You haven't met many computer nerds, have you?

Re:How someone can be that smart in hacking..

[Dogtanian]

..and that stupid otherwise? The right move was to arrange an IT job interview with Marriott, and claim good security skills. "I found a security hole in your systems and may help you to improve this, and your systems globally".

No, no, no, no, NO.

You absolutely do *not* do that. Some (reasonable) companies *will* be grateful that you informed them of a problem with their security. Others will get the wrong end of the stick- even if you found the hoed through innocent means- assume that you hacked or were trying to hack into their system, and act accordingly.

Others still won't care, but will be angry that their shortcomings have been exposed (either the organisation as a whole, or vested interests that hold sway within that organisation, e.g. the crappy IT guy who's just been made to look bad) and that they have to correct them. Under such circumstances you are in danger of them maliciously trying to punish you or get revenge in some manner.

You do *not* risk the second or third happening, regardless of whether informing the company would benefit them. Ideally you'd be able to, but this isn't an ideal world, and you do not put yourself at risk for a benefit that they might not perceive as such. At best, if you need to report this kind of thing, you do it anonymously and/or in a manner that makes it untraceable or at least such that you won't be at risk of retribution.

This is the problem with geeks not understanding that the world does not operate in the logical manner they'd like to think, of assuming that people will behave logically and of not factoring in personal politics, self-interest and inadvertantly standing on someone else's toes.

Re:How someone can be that smart in hacking..

[ranpel]

Someone can have skills and lack the maturity and wisdom to wield them easily enough. It's more of a willingness to engage in a clearly criminal endeavor with those skills that is relevant. He could just as easily have delivered his findings, suggest they shore up, wish them luck and maybe hint that he's looking for a new gig and if they find themselves in need of someone that can shore up then to feel free to drop a message on this anonymous drop box. Gaining access to information is one thing but using that information quite another. The option this guy chose not only exposed himself rather awkwardly but is one quite deserving of a good stint in jail.

Re:How someone can be that smart in hacking..

[Loosifur]

No moral or legal basis for being upset, huh?

"Hi, I noticed you'd left your front door unbolted, and your big-screen television is clearly visible from the street. Also, just to check, I climbed over your back fence and tried the back door, which you left unlocked. When I got inside and heard your dog barking I was a little worried, but it turns out he's really friendly. I've taken the liberty of writing up a list of suggestions for you to make your house more secure; it's taped on the front of your fridge. Incidentally, I just happen to sell alarm systems, if you're interested..."

This story needs more press.

[goodmanj]

The general public thinks of "hackers" as super geniuses. This gives actual smart people a bad reputation. We need more stories like this to show that the average computer cracker is at least as stupid as the average Joe.

Honestly, any janitor could tell you instantly why this plan is idiotic.

Re:Let me show you my back door

[wdhowellsr]

I know, that's exactly what I thought when the head developer told me that. But if you think about it, if you are the largest -- Insert Anything -- company in the world you are a target and if you have ever eaten at Olive Garden, Red Lobster, Long Horn Steak House, The Capital Grille, Bahama Breeze or Seasons 52 a single recipe or trade secret could be worth millions.

Olive Garden's Seafood Portofino with Minestrone Soup is without question the best recipe of it's type I have ever tasted, and don't get me started on the bread sticks.

Damn, now I'm hungry.

Re:$1 mil? Seriously?

[Score+Whore]

Why do you think the damages are made up?

Once the notice comes to IT that they've had a break-in you've got an awful lot of work to do. Much more than just applying a security patch. You've got to figure out what happened and which systems were affected. Which means that even if you have a situation like this where the attacker tells you how they got in, you don't know if they are lying. So you have to do a security survey of every single system on your network to make sure there are no back doors, root kits, or altered data. Just reviewing could readily cost you hundreds to thousands of dollars per system. You may be facing multiple nuke-n-pave situations on your servers (may cost you $5,000 - $10,000/system.) Which means you will be losing data or will have to recreate data. If you have a centralized reservation system they may have to take that down in which case you are idling thousands of workers worldwide as well as losing business during the downtime. That's probably measured in thousands of dollars per minute in costs and losses. You've got to bring in your legal team and executive management so they can determine if non-IT related actions that need to be taken (offer your customers identity theft protection?) Who knows how much that is, but it could easily be north of $100,000. Probably you'll be bringing in security experts to review your policies, practices and implementation. A team of four at $250/hr/consultant and you are burning $40,000/week just in consultant fees. Those consultants will be working with your IT staff who will not be doing their normal work, so that's another $5,000 - $10,000/week.

$400,000 - $1,000,000 is an easy number for an IT organization to reach in a large company. A business the size of Marriott may well have a central IT staff numbering between 750 - 1000 people. If they have a particularly efficient team and are on the low end of staffing (750) and have good control of salary ($60,000/yr), they have annual staff costs over $56,000,000. Diverting 10% of those means $108,000/week.

Re:$1 mil? Seriously?

[ScentCone]

I'm so tired of seeing these ridiculous and obviously made-up damages

Did you even bother to read the summary, let alone the article? They had a lot of work to do in interacting with the feds in advance of busting this guy in person (he was cracking/extorting from Hungary). This involved many employees, corporate lawyers, etc. You tie up those sorts of man-hours, including the time to gather and preserve an unknown until you're done pile of forensic information from a huge IT footprint at a company that size ... I'm surprised the cost wasn't higher.

What I'm tired of are people who are so vitriolically anti-business in their mindset that they won't even do the mental work of thinking something like this through, lest it take some of the fund out of Complaining About The Man.

Really?

[DRMShill]

Do you apply this logic to your own network? Actually let me rephrase that. Do you apply this logic to your own possessions, property and family? Do you believe burglary victims should share part of the blame because they didn't reinforce the glass windows(security flaws) in their homes?

Let's call a horse a horse here. This man was a criminal. He deserved what he got.

I'm not a hacker but...

[stealth_finger]

...wouldn't it be easier to hack in and put your self in the employee database, set up payroll or send an email from the proper account to the payroll section to sort it and then just turn up on Monday? Or better yet not and get paid anyway.

Re:Let me show you my back door

Olive Garden's Seafood Portofino with Minestrone Soup is without question the best recipe of it's type I have ever tasted, and don't get me started on the bread sticks.

Wow. You really need to experience more cuisine options from people who aren't high-school dropouts reading a corporate recipe. Life is too short to eat shit and then believe that's the best there is.

Re:How much does 30 months in jail cost us?

[dkf]

Ultimately it might have been cheaper just to give the guy a job.

Except that it's insane to employ a blackmailer as you can never ever trust them. Same with a fraudster. You've got to hire someone else to fix the problems, and in general the cost of punishment is regarded as permissible as part of the cost of a reasonable degree of social stability.