Hackers Find Bugs, Extort Ransom, Call It a Public Service

Reader msm1267 shares a report on ThreatPost about an ongoing security trend: Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching and is becoming a growing new threat to businesses vulnerable to attacks.
Hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. Researchers say once the intruders steal the data, there's no explicit threat that they will break in again or release data if companies don't pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability
Typical bug poaching incidents start with criminals breaking into a network and stealing as much sensitive data as they can. Next, they post the data to a third-party cloud storage service. Lastly, the attackers email the company links to the data as proof the information was stolen and ask for a wire transfer of money in exchange for how the data was stolen.
During the attack, victims are not threatened with the public release of their data, instead attackers simply send a message that reads: "Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun."

Private Enterprise at work finding holes

[BoRegardless]

Isn't this the way capitalism is supposed to work? Find a need and fill it?

Re:Private Enterprise at work finding holes

[bluefoxlucid]

Yes, and government is meant to regulate and facilitate capitalism. Faced with a need, hundreds of frauds will try to sell you a useless product or service, and others will attempt to manufacture a need by such methods as causing you harm and selling you the means to repair said harm. Governments place regulations and laws providing standards and punishment for such actions so that such exchanges are voluntary and beneficial.

Why not?

[fustakrakich]

The good Samaritans are being being treated like criminals anyway. This makes it worth the risk. We can blame the authorities for this turn of events. Treat people like criminals, you're gonna get criminals.

"honestly"????

[mark-t]

Like seriously anyone can possibly be expected to believe that?

If the person is willing to break the law and hack into somebody else's computer without permission, why the heck would they have any compunction about lying about not releasing the data? They've already showed willingness to ignore what the law requires them to do (or not do), so there is no reason to believe that they would not release the data.

Re:"honestly"????

[Jumunquo]

And that is exactly the very valid point that was made - that is willingness to commit computer trespass and ask for money does not necessarily equate a willingness to release secret company information.

I can switch the question back onto you - why would the criminal not just threaten to release the info then? Wouldn't that be better at compelling you to pay the ransom? I'll try to make an educated guess here: I bet they are trying to give themselves an excuse for their behavior or they are following some sort of self-imposed rules for their skewed sense of ethics. Would they release it if ignored? I don't think you can assume one way or another.

Re:"honestly"????

[mark-t]

I would suggest that it may very well be that the desire to at least offer a pretense that they have the best interests of the victim in mind... when in fact, if they genuinely had had their best interests at heart, they would not have chosen to deliberately break the law and hack into their system in the first place, and certainly not hold the details of how they did so for ransom.

Re:Post More FUD

[bluefoxlucid]

Corporations are minimizing *cost*; profits are not directly under corporate control. When you reduce cost, you can reduce price to take a stronger market position--and that works until your competitor does the same, at which point you need to reduce cost further and get in line with whatever your profit margin was in the first place.

That's usually a maximizing strategy. Spending excess for something (e.g. security) means something else is not made, because that consumes labor; likewise, the uptick in a product's cost means the price goes up, and thus consumers can't buy as many other things with their income (which, happily, aligns with the "the people who were making other things are now busy making this thing instead" problem). Couple that with technical progress and you get phenomena such as food getting cheaper (30% of the median family's income in 1950, 14% of their income in 2000, 11% today) and people having better access to medical care, smart phones, or ALL THE OTHER SHIT THAT MAKES US ACTUALLY CARE ABOUT COMPUTER SECURITY.

I said *usually* a maximizing strategy. Even with computer security as today, these types of breaches carry a cost and, notably, they carry risk: that $30,000 cost isn't just a $30,000 cost, but the *potential* for lost customers and UNCONTROLLED COSTS. Those uncontrolled costs could be immeasurable: they could be millions, they could be a percentage of your business, or they could be a blunt disruption to operations resulting in either immediate failure *or* a temporary loss of operating ability shifting business toward a competitor and leading to a downward spiral of your business's market position until it ceases to be a business.

"We don't know how much we need to charge for our product to stay in business" tends to turn into "we need to charge more than our competitors, and are losing business because their products are cheaper", which tends to motivate businesses to deploy better security to control those risks. As we've seen, this isn't *always* true; it's typically *reasonably* true, and even the best security gets breached (something you're unfairly ignoring)--just much less often.

It's also true that, as you suggest, businesses will under-spend for security when that spending doesn't provide them a direct return due to the consequences being borne by the market. That is: security breaches generally cost a business unknown money, thus are addressed naturally as a risk; and security breaches *can* cost the consumer in ways which aren't covered by actions which protect the business, thus creating a gap in which a certain action would provide an economic benefit, but not be a natural action for a business to take.

That gap is filled by GOVERNMENT REGULATION. Use sparingly, but use where required.

So, business cost-minimizing and cost-controlling actions: Good. Government regulations: Good. These two things cover for each other. Without business behavior as such, we need some kind of command economy (Marxism, Communism); without government regulation as such, capitalism outright fails (we get anarchocapitalism and then corporatism, leading to fascism--corporate dictatorship by controlling market interest such that "voting with your dollars" creates widespread poverty and worse immediate problems than accepting the rule of the elite).

How to Be Taken Seriously 101

[penguinoid]

After decades of "We'll fix that as soon as possible (maybe 20 years)" or "How dare you threaten/embarrass us, you evil criminals!" as a response to disclosure of security vulnerabilities, I can sympathize with this course of action. After all, they're at about as much risk of legal action either way, in fact probably less this way.

Re:Work both ends...like the cable companies

[UsuallyReasonable]

If you don't understand how tax law works, posting comments regarding it is a bad idea. Tax deductibility does not make something free.