Hackers Find Bugs, Extort Ransom, Call It a Public Service

Reader msm1267 shares a report on ThreatPost about an ongoing security trend: Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching and is becoming a growing new threat to businesses vulnerable to attacks.
Hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. Researchers say once the intruders steal the data, there's no explicit threat that they will break in again or release data if companies don't pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability
Typical bug poaching incidents start with criminals breaking into a network and stealing as much sensitive data as they can. Next, they post the data to a third-party cloud storage service. Lastly, the attackers email the company links to the data as proof the information was stolen and ask for a wire transfer of money in exchange for how the data was stolen.
During the attack, victims are not threatened with the public release of their data, instead attackers simply send a message that reads: "Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun."

Private Enterprise at work finding holes

[BoRegardless]

Isn't this the way capitalism is supposed to work? Find a need and fill it?

Re:Private Enterprise at work finding holes

[gurps_npc]

Nope.
If I find a need for your home to require a fire alarm, I can't break into your home and install one, then demand money for the 'work' I did.

Re:Private Enterprise at work finding holes

[geek]

Isn't this the way capitalism is supposed to work? Find a need and fill it?

Yes. They are called pentesters. These however are no pentesters.

Re:Private Enterprise at work finding holes

[fustakrakich]

It's also anti communist. The people that report bugs for free are being thrown into jail. Damn hippies!

Re:Private Enterprise at work finding holes

[bluefoxlucid]

Yes, and government is meant to regulate and facilitate capitalism. Faced with a need, hundreds of frauds will try to sell you a useless product or service, and others will attempt to manufacture a need by such methods as causing you harm and selling you the means to repair said harm. Governments place regulations and laws providing standards and punishment for such actions so that such exchanges are voluntary and beneficial.

Re:Private Enterprise at work finding holes

[Qzukk]

Who's installing one?

What this sounds like is that they break in, find you have no fire alarm, then tell you "hey bud, you've got a major fire code violation on your hands. For $x, I'll tell you what it is. Otherwise, well, who knows what the next inspection will turn up?"

Headline should be...

[mongothesecond]

Bug bounty participants decide they want a raise.

Why not?

[fustakrakich]

The good Samaritans are being being treated like criminals anyway. This makes it worth the risk. We can blame the authorities for this turn of events. Treat people like criminals, you're gonna get criminals.

Re:Why not?

[fustakrakich]

Right or wrong, most people will follow the example that leads to the highest rewards.

Post More FUD

[zenlessyank]

Meanwhile corporations put profit over security. Some body calls them out for it and they claim terrorism. Fix your shit or get owned. Blaming somebody for walking in front door when you left the door unlocked is stupid. This is the real world. Not some fantasy place where your wish is everyone else's command. Self righteous spin will come back to haunt you.

Re:Post More FUD

[bluefoxlucid]

Corporations are minimizing *cost*; profits are not directly under corporate control. When you reduce cost, you can reduce price to take a stronger market position--and that works until your competitor does the same, at which point you need to reduce cost further and get in line with whatever your profit margin was in the first place.

That's usually a maximizing strategy. Spending excess for something (e.g. security) means something else is not made, because that consumes labor; likewise, the uptick in a product's cost means the price goes up, and thus consumers can't buy as many other things with their income (which, happily, aligns with the "the people who were making other things are now busy making this thing instead" problem). Couple that with technical progress and you get phenomena such as food getting cheaper (30% of the median family's income in 1950, 14% of their income in 2000, 11% today) and people having better access to medical care, smart phones, or ALL THE OTHER SHIT THAT MAKES US ACTUALLY CARE ABOUT COMPUTER SECURITY.

I said *usually* a maximizing strategy. Even with computer security as today, these types of breaches carry a cost and, notably, they carry risk: that $30,000 cost isn't just a $30,000 cost, but the *potential* for lost customers and UNCONTROLLED COSTS. Those uncontrolled costs could be immeasurable: they could be millions, they could be a percentage of your business, or they could be a blunt disruption to operations resulting in either immediate failure *or* a temporary loss of operating ability shifting business toward a competitor and leading to a downward spiral of your business's market position until it ceases to be a business.

"We don't know how much we need to charge for our product to stay in business" tends to turn into "we need to charge more than our competitors, and are losing business because their products are cheaper", which tends to motivate businesses to deploy better security to control those risks. As we've seen, this isn't *always* true; it's typically *reasonably* true, and even the best security gets breached (something you're unfairly ignoring)--just much less often.

It's also true that, as you suggest, businesses will under-spend for security when that spending doesn't provide them a direct return due to the consequences being borne by the market. That is: security breaches generally cost a business unknown money, thus are addressed naturally as a risk; and security breaches *can* cost the consumer in ways which aren't covered by actions which protect the business, thus creating a gap in which a certain action would provide an economic benefit, but not be a natural action for a business to take.

That gap is filled by GOVERNMENT REGULATION. Use sparingly, but use where required.

So, business cost-minimizing and cost-controlling actions: Good. Government regulations: Good. These two things cover for each other. Without business behavior as such, we need some kind of command economy (Marxism, Communism); without government regulation as such, capitalism outright fails (we get anarchocapitalism and then corporatism, leading to fascism--corporate dictatorship by controlling market interest such that "voting with your dollars" creates widespread poverty and worse immediate problems than accepting the rule of the elite).

"honestly"????

[mark-t]

Like seriously anyone can possibly be expected to believe that?

If the person is willing to break the law and hack into somebody else's computer without permission, why the heck would they have any compunction about lying about not releasing the data? They've already showed willingness to ignore what the law requires them to do (or not do), so there is no reason to believe that they would not release the data.

Re:"honestly"????

[mark-t]

I didn't suggest that computer trespass was akin to murder though, did I? *YOU* were the one who brought up that comparison. I suggest only that computer trespass is akin to things such as fraud and theft, which is also what selling the data to someone else would be.

Re:"honestly"????

[mark-t]

Nobody's forcing the hackers to hold the data hostage.... they could, if they really were so inclined to do things on the up-and-up, resorted to doing *LEGAL* things instead of breaking the law. The only reason they could ever somehow feel forced to sell or distribute the data in the event that they didn't get paid for the service of knowing how the hack was accomplished is because they broke the bloody law in the first place. In fact, the only logical reason I can think of for them to do things illegally at all is because the profit incentives might be better, so it is far more likely that profit is the incentive for the action than any genuine desire to improve security.

Sheesh.... talk about blaming the victim for a crime.

Re:"honestly"????

[mark-t]

I would suggest that it may very well be that the desire to at least offer a pretense that they have the best interests of the victim in mind... when in fact, if they genuinely had had their best interests at heart, they would not have chosen to deliberately break the law and hack into their system in the first place, and certainly not hold the details of how they did so for ransom.

Garbage journalism

[ShanghaiBill]

... If someone ELSE broke in and found the information, and then released it to the public - but I wouldn't do such a thing. ... heheheh

According to TFA that is NOT what they are doing. Also, according to TFA, that is exactly what they are doing. When an article is written this incompetently, and contains contradictory statements, and zero actual examples, it is best not to draw conclusions from anything it says.

Re:Work both ends...like the cable companies

[Gavagai80]

If it's genuinely not about the money, demand that the company donate the specified amount to a specified charity.

Clever.Hacking less of a crime than blackmail?

[evolutionary]

Technically, prosecutors can't charge blackmail because they haven't said your data will be exposed unless you pay. They are only asking to be paid for how to patch the security flaw. (White hacking + data extraction) Of course the idea is to add "incentive" with the data being in public, unauthorized space. But they haven't said it would be leaked unless payment is given (or only take it down on the same terms). Of course the victim could turn that around and say, "before we discuss the merit of your services, let's say you remove all files the files I own from your server, allow me access that I may be satisfied to the fact it is destroyed and no spare copies exist, you tell me how your broke into my system and how to patch it up and in exchange I don't send your name, and your communications to me to the cyber crimes division of the FBI, it's a bargain considering the alternative, and some free advice in return for your assistance...stop short of actually stealing files before asking for a fee for your proactive "good citizenry". Appreciate your efforts".

Re:Clever.Hacking less of a crime than blackmail?

[stephanruby]

"...let's say you remove all files the files I own from your server, allow me access that I may be satisfied to the fact it is destroyed and no spare copies exist...

So you're demanding root access to all his servers, email accounts, cloud accounts, passwords, phones, tablets, external drives, usb flash drives, SD Cards, burned DVDs, tape backups, any accounts of his friends and family, his garage, his home, his gym locker, any and all his body cavities, etc.

And even then, do you realize that even if he gave you all of these things, that it will never guarantee that the data "was destroyed and no spare copies exist". No, no. If your data has been compromised. It has been compromised. Once the cat is out of the bag, you should simply assume that every bad guy has it by now, or will have it at some time in the future. And you're better off just biting the bullet now and letting your management, any other stakeholder, and your customers know about the breach as soon as possible. Because even if you did pay them money to keep this information secret, there is simply no guarantee this blackmailer won't turn around and sell your secrets to other groups of people, or won't turn around and ask for more payments down the road.

from Ransomware to Ransom as a Service?

[Gravis+Zero]

sounds like these blackhats just got their MBAs. ;)

Re:Work both ends...like the cable companies

[wierd_w]

That's how you get "sued then ignored."

Holding the data makes them have to take you seriously.

It's a terrible thing, but the downward spiral is being driven by the obsinate corporation's sociopathy, not the grey hats.

How to Be Taken Seriously 101

[penguinoid]

After decades of "We'll fix that as soon as possible (maybe 20 years)" or "How dare you threaten/embarrass us, you evil criminals!" as a response to disclosure of security vulnerabilities, I can sympathize with this course of action. After all, they're at about as much risk of legal action either way, in fact probably less this way.

Re:Work both ends...like the cable companies

[UsuallyReasonable]

If you don't understand how tax law works, posting comments regarding it is a bad idea. Tax deductibility does not make something free.

Re:Until the FBI shows up

[barbariccow]

terrible analogy - you'd have to break in and make a clone of the cat and take that clone to be even a little bit close.

Not according to RIAA and the supporting court system..