Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Government The Courts IT News

Digital Thieves Use Ex-Employees Accounts 98

prostoalex writes "The New York Times is running an article about a new generation of digital thugs. Using unsecured wireless networks, free e-mail accounts, a wealth of security knowledge, and, most important - employee passwords, thieves are getting access to valuable company databases. Once they're in, they start extorting the companies to pay up for them to leave. Otherwise phony e-mails to customers and sensitive information published publicly will lead to an embarrassment."
This discussion has been archived. No new comments can be posted.

Digital Thieves Use Ex-Employees Accounts

Comments Filter:
  • New Generation? (Score:5, Informative)

    by Manip ( 656104 ) on Sunday August 07, 2005 @05:44PM (#13265831)
    This was going on in 1996 and has been ever since so how is this a "New Generation"; the only thing that has changed between now and then is now we have more insecure WIFI networks but really that doesn't change how the game is played at all.
    • exactly.

      i know a kid who had access to the web box with his ex-employer, decided to get even with them for firing him, so he decided to deface their homepage and delete their mysql databases. (they sold info on databases or something..)

      whats up with these garbage stories? did you know people get their passwords cracked, or stolen from social engineering?

      i got a better story.. cisco/ISS laywers are running around harrassing everyone who posted that info by micheal lynn. cryptome.org got hit with the
  • by eobanb ( 823187 ) on Sunday August 07, 2005 @05:46PM (#13265837) Homepage
    it seems like mostly smaller and medium-sized businesses would be vulnerable to this, not larger corporations, or perhaps a small division of a larger corp, because access to big cash usually requires the blackmailee to go through some kind of board of directors who are going to refuse to yield, while a more tightly-knit mom and pop shop is going to have no one to turn to. A big company could have all sorts of resources immediately available for damage control (e.g. warning customers of fraudulent information, quick access to high-level law enforcement, à la FBI). Sigh, and all because of wireless networks. When is Cisco, D-Link, Netgear, going to learn to turn on encryption by default? Microsoft learned the hard way; users are too damn stupid to secure anything on their own, and that includes business. That's what it comes down to, stupidity.
    • Ignorance, yes.

      Users shouldnt have to understand how it all works and how to secure their network/pc. It should come that way.

      Much as your car does. You shouldnt have to understand how the locks work, or the ECM's. They should 'just work'.

      Is it nice that you can tear down and rebuild a transmission in 2 hours flat? Sure, but you cant expect the average citizen to know that.
      • Re:Stupidity? No. (Score:3, Insightful)

        by dhasenan ( 758719 )
        But you do exactly one thing with a vehicle: you move stuff in it. It's an assembly of a few simple systems, including, usually, locks, AC, stereo, and the vehicle itself. Your car doesn't serve arbitrary media, facilitate content creation, and enable you to search the Internet and talk to your friends, as well as monitor itself, all with one complex system.

        Sure, a computer isn't a single system, but it's a set of systems with a single interface, and your actions are rather more separated from effects than
        • Cars are 'systems'. Vastly more complex then that PC you are sitting at now. It also has much more real ramifications if it doesnt perform. People can die.

          It is not realisitc to expect average users to understand the PC from a techincal side. It has *nothing* to do with stupidty or lazyness. Its an appliance to them, nothing more.

          IT people hired to be experts, we do agree on that part. They should know what they are doing and take action.
          • It's an interface issue. A car has a wheel and a few levers; you need to know how to work three of the levers (for an automatic), and you see results almost immediately. A computer has a keyboard and mouse, but those aren't the real interface; you've got a web browser with ten buttons and six menus (and about two dozen submenus), half a score of dialog boxes that you can access via the menus and buttons....and oftentimes, you alter a setting and don't see any result for quite some time.

            That's about one esse
            • Ya. thats why 5 year olds can use a computer but not drive a car.
              • Well, perhaps the fact that a five-year-old can't reach the pedals or see above the dashboard has a bit of influence.

                There's also the safety factor--do little kids have the attention span to drive ten miles down the freeway, obeying traffic laws? Explosions are cool, after all. And then there's the whole hand-eye coordination in development thing.
                • Anyone who doubts the quality of the hand/eye coordination of a 5-year-old has never watched a toddler playing a console game. My three-year-old (at the time; he's 15 now) could out-Mario any human being in existence. He totally pwn3d at Super Mario World, or virtually any other hand/eye coordination scroller game. It was frightening, and I don't think he was any prodigy.

                  No the problem with driving is that it's actually a huge task, with lots of full-body coordination (steering, a couple of feet, a hand for

              • Ya. thats why 5 year olds can use a computer but not drive a car.

                Who says that? 5 year olds can drive a car just as they can use the computer. The damage they can cause will result in different set of risks/liabilities...

            • Let's see, my car has a computer that let's me change the way the transmission works (adaptive, economic, sport) and I don't see the result until I'm driving. There are other settings that I don't pay much attention to but could end up setting them differently on accident.

              My mother plugged her digital camera's charger into my wife's car and it blew some fuse that changed the car from automatic to manual until we figured out that this was the problem.

              Cars are plenty complex and you can do lots of things to s
          • People can die with computer systems too. I forget the name of it, but it was a long while ago. This computer with some sort of embedded hardware was in charge of administering dosages of medicene to cancer patients, and on one strange race condition, it would administer the wrong amount, causing the patient to die. I think about 5 people died before it was found out.
            • You're probably thinking of the Therac-25, a medical linear accelerator. Back in 85/86 it killed 6 people after they switched from a standalone unit with physical safety interlocks that could be controlled by software to a software only unit with no interlocks.

              See http://www.flippedbit.net/3921/failures.htm [flippedbit.net] (scroll down a bit)
          • Cars are 'systems'. Vastly more complex then that PC you are sitting at now.

            Yeah right, how many cars allow you to install random stuff on the computer? Fact is, your car has been continuously refined over the past century, while your computer has been vastly extended over 30 years.

            • Yeah right, how many cars allow you to install random stuff on the computer?

              I don't know about random stuff on the computer (in a car, right? Maybe in the ECM or something?), but you can install random crap in the engine compartment, or on the wheels, or on the brake calipers, or in the steering pump, and have horrid results. (I speak from experience. Never ever mix radial and bias-ply tires. Scary.)

              A careless and thoughtless user can install crap in a car that can KILL. It's the rare computer that for whi

              • you can install random crap in the engine compartment, or on the wheels, or on the brake calipers, or in the steering pump, and have horrid results. (I speak from experience. Never ever mix radial and bias-ply tires. Scary.)

                Yeah, but I bet you don't expect the car to behave after defiling it like that. The basic functions of a car haven't changed much in 20 years. It's more eficient, and ABS helps, but the basic behavior is the same.

    • While the big corps maybe more hassle, they are also a bigger prize.

      On the point of wireless networks, thats not the only weakness in big companies. A telecoms company i used to work for are very lax on the employee leaving proceedures. I was finished up on a temp contract and left the company. three months later i had a new contract and i was back there. I sat down at a desk and typed in my login details... they worked, only my password had expired. I still had all the access i had previously.

      Also a fr

    • Comment removed based on user account deletion
    • When is Cisco, D-Link, Netgear, going to learn to turn on encryption by default?

      It still astounds me that computers seem to halve people's intelligence. What [tomsnetworking.com] is [ehow.com] WEP [weblogsinc.com] going [wifi-toys.com] to [quepublishing.com] get [networkworld.com] you?

      Yes, I just karma whored a google search for "WEP encryption break".

      Also, I don't use WEP at home, nor do I use any kind of encryption by default at work for our ethernet. In fact, I've only heard of things that are by default encrypted like interbank communication, and I would assume the military might use some encryption be
      • What is WEP going to get you?

        Two things: It will make gaining access slightly more difficult, thwarting the casual/curious "attacker" or the accidental-associater AND it acts as a clear sign to those looking for goodwill/free access that your network is private.

        Will it stop determined attackers? No, but VPN and firewall are better suited to that task.

      • Indeed. I ran kismet this weekend at my greenwich village apartment and found no less than 55 wireless networks, half of then unpassworded and unencrypted. Most of the wireless routers that had not been renamed had default passwords. I ran the capture through ethereal and instantly had half a dozen email passwords before I got bored of sifting data. This was all from a 20 minute capture. Who needs to break in when the front door is wide open ? Looking at the router logs, I discovered that quite a few people
  • Why the hell would you have a corporate database directly accessible over the Internet? Even for online banking, wouldn't it make much more sense to have one server contacting customers, making sure that one IP goes with one account at a time, and requesting data from the database server?
    • "Why the hell would you have a corporate database directly accessible over the Internet?"

      Well, the problem is, once you put sensitive information on a machine that's part of a network that includes machines that have internet access, you're fucked plain and simple.
    • Because the boss's secretary needs to read his email from the field. Or because some idiot VP who just got their laptop can't be bothered to install security updates, and brings it to a tradeshow and gets their machine turned into a spam zombie.
    • It's easy. When you order over the phone, it's using the dial tones to complete an online order form. When WalMart orders more toliet paper because they're stock's low, they complete an online order form. Almost every system uses an over-the-web system for easy access to global databases. It's a really nice system. Executives can instantly see how many items were sold today, and can see the state of their company globally very rapidly. However, since it is over the internet, it is subject to hacking.
  • Whew! Thank goodness! I thought maybe all those industry secrets that guy published publicly (sic) were gonna do some actual harm to the company.
  • I love the writing style in the submission (or is it TFA?) ...
    ok, so say my company has 'a database' with 'client information' in it.
    Nobody is going to have "select * from foo" privileges.
    And the data is probably meaningless without a client application.
    They make it sound like the Wargames movie - where some guy 'gets into' 'the system' and gets 'the data'. Its a lot harder than this.
    I know from experience that its easy enough to compromise an employee, who can print pages of stuff out, or save things as a
  • D.D.O.S. (Score:5, Funny)

    by eltoyoboyo ( 750015 ) on Sunday August 07, 2005 @05:55PM (#13265874) Journal
    "D.D.O.S. attacks are still one of the primary ways of extorting a company, and we're seeing a lot of that," said Larry D. Johnson, special agent in charge of the United States Secret Service's criminal division. "

    Heck, they talk like it is such a big deal to start a DOS attack. Just post an article like "Walla Walla school district to abandon FreeBSD and use Linux desktops" on slashdot, using your target's web site for the article location.
  • I don't know why this is Slashdot-worthy. Get in your car with a Win 98 laptop and a crappy wireless card and drive through a commercial area. Free internet, anyone? You'd think by now it'd have gotten better...it hasn't. From what I've seen, any type of wireless encryption is becoming harder to find in the mass of networks here in LA.
    • I was without a net connection for 6 weeks (THANKS TELSTRA) so I would drive down to my local McDonalds, they have wireless hotspots there, but across the road some guy had setup their own wireless access point with DHCP and everthing. Why pay for Maccas wireless (slow) when you can use the guys wireless from accross the road?? haha A bit of war driving through brisbane, australia shows about 1 in 5 wireless networks are "secure". - paul
    • When my employer supplied me with a wireless laptop
      I decided to see just how secure my friends' hotspot
      was one day when he was out of town.

      Not only was it not secure, but for some reason it
      could be received TWO MILES AWAY from his home.

      I called him to let him know this and he was very
      surprised and later went to a more secure setup.

      But you would be surprised how many unsecured
      wireless connections are nearby.

      I suppose that this isn't surprising news but with
      the prevalence of articles like this you would
      think
      • I'm in the process of setting up a link between my house and a friends house about 3kms away (just under 2 miles for all those that haven't yet assimilated).

        We are using 2 directional aerials with about 8dbi of gain. In the process of trying to get the signals to hit each other somewhere in the middle, I've managed to pick up over 35 different wireless access points, 5 of those are "secure" (a very relative term).

        I view wireless security in the same light as putting a padlock on my front gate, it wil
  • Payment (Score:4, Insightful)

    by inphorm ( 604192 ) on Sunday August 07, 2005 @06:09PM (#13265916) Homepage
    I think the main problem for the wannabe hacker is the getting paid bit. How the heck do they remain anonymous and get paid?

    It's all very well to do that to a company, but you aren't exactly going to hand out your own bank details to the company in order to get paid.. heh.

    - paul

    http://pmp.deviantart.com/ [deviantart.com]
    • It's easy. You can use eGold or PayPal or some other "anonymous" payment facility. PayPal is great because they absolutely disclaim any liability or responsibility for the transaction. So, you pay that way.

      Why would anyone need to give out bank information, anyway? Have them send a check to a PO box at some non-post office place where they rent mail boxes. No id needed there and no tracability.

      Western Union is another great way to send money without much id being required. They have money for "Elmer F

      • If they sent you a check and you deposited it or cashed it against your account (if it's too large to cash without an account at the bank) then you've just given them your account info, so you might as well have done it from the start.
      • Bank cheques of any kind a tracable, they can "follow" them and find out whose bank account they are paid into. A PO is not hard to stake out.

        Not that I'm looking for ways to do it.. haha.

        - paul
      • Post-9/11, in the states, you need an SSN to open any sort of postage holding (mailboxes)/forwarding account. PayPal has always required an SSN, and they require a verified account of some sort to get any significant amount of funds out of the account. Western Union requires valid ID (ie a State ID (driver's license)). No idea where you came up with all these ideas.
    • How the heck do they remain anonymous and get paid?

      There are a number of foreign banks that will happily accept large transactions and ensure complete anonymity to everyone involved. The classic example of this used to be the Swiss banking system, although it's not quite as popular now that they finally relented on the WW2 account issue.

      AFAIK, the current favorites are Central American countries, the Bahamas, and other countries in the Gulf of Mexico area. Highly anonymized banking, a pretty corrupt governm
  • by Anonymous Coward on Sunday August 07, 2005 @06:28PM (#13265978)

    It was then that the stalker made a series of mistakes. Among them, he began to brag. In an e-mail message titled "Fire them all," he informed Mr. Videtto that he had found valuable MicroPatent documents by going "Dumpster diving to the Dumpster and recycle bins located in a parking lot on Shawnee Road" in Alexandria, Va., where the company maintained a branch office

    From "The Incredibles":

    Syndrome: Oh, ho ho! You sly dog! You caught me monologuing!

    Ah yes, the evil cybervillain cannot resist the urge to pontificate about his supposed superior intellect and abilities to his victims. Of course, by doing so they reveal all kinds of details about their nefarious plans and give the victims time enough to escape or capture the idiot.

    Monologuing trips up the bad guy everytime.
    • by computerdude33 ( 890573 ) on Sunday August 07, 2005 @07:05PM (#13266102) Homepage
      Not just that, but it gives good people chances to catch the bad guy.

      Example:

      A guy starts monologuing for 10 hours. In that time, the police are able to:

      *Get info on him
      *Eat a donut
      *Google him
      *Eat a donut
      *Find out where he is
      *Eat a donut
      *Go to his house
      *Eat a donut
      *Break in
      *Eat a donut
      *Arrest him
      *Have a donut party
      • Why is it that I never have mod points when I actually need them? :)

        This is the first time in ages I've actually laughed out loud at a slashdot post. Okay, maybe that says a bit too much about my lowbrow sense of humour - ah well. :)

    • Many theives really have trouble keeping their mouths shut. They just can't help but brag about how much they rule because they managed to pull off some scam. They end up talking themselves in to jail. Same holds true after they are arrested. If they were smart, they'd clam up and let their lawyer do all the talking, instead they run their mouth, and the police are able to start to play lies against eachother and eventually break their story.

      I mean in the real world it's not usally as overdone as in the mov
      • Getting off topic here but people are always giving away to much information to fast. I was rear ended in traffic one time. The guy got out of his car and started complaining that I cut in front of him and slammed on my brakes. I said absolutely nothing until the police arrived. He ran up to the cop, told him the same thing but with more details. A few minutes later the cop came to me and asked what happened. I stated that immediatley after merging onto the highway, the traffic in front of me stopped
  • by King_TJ ( 85913 ) on Sunday August 07, 2005 @06:35PM (#13266012) Journal
    It seems to me that the people telling us how "Many times, companies just pay the hackers off to avoid embarassment." have little or no real facts to back up those claims.

    In other words, it's just sensationalist writing.

    In any nation with reasonably well enforced laws protecting a company's I.P. - I would think it's pointless for an extortionist to even attempt this. Sure, you might have the technical means to steal the proprietary info (especially if the company has unsecured or poorly secured wi-fi networks), but then what?

    Even the guy in this story got caught after unsuccessfully trying to scam money out of just one company. And today, it would seem to be much more difficult to get away with than it was even a few years ago. The government and law enforcement are getting more knowledgable about Internet-based crime all the time, and since 9-11, the U.S. at least has enacted more laws giving feds the ability to "spy" on net traffic and trace things back to their source.

    I really don't believe any legitimate business would think it made sense to pay some hacker millions of dollars in extortion money. This is MUCH more effective in situations like the one discussed in a Slashdot story a while back ... where someone threatens a denial of service attack on an online gambling/betting or porn site that's already running "beneath the radar" of legislation in nations that would prefer to shut them down.
    • by Feanturi ( 99866 ) on Sunday August 07, 2005 @07:25PM (#13266174)
      This is MUCH more effective... ...site that's already running "beneath the radar"

      I don't know, I think there are plenty of companies that operate 'above the radar' that would be horrified at the thought of customers being able to see what's really going on in the back room. Getting the FBI involved can be thought of as riskier than just paying up. If they are detected while going to the authorities, the psycho that's threatening them can release all the secrets and just disappear. Screw the money, you're just plain going DOWN now. Just as kidnappers can threaten (and make good on that threat) that they will harm or kill their captive if you go to the cops. And, just because your business is legitimate on paper doesn't mean it's actually operating that way either.
    • What really shows that the story is sensationalist is the fact that in the end, the guy asks the company to write a check to him using his real name. So all that FBI, tracking him down, etc. was a complete waste of everyone's time - All they had to do was ask "ok, who should we write the check to?"

      Although I love the part where the hacker threatens to open the web bug in a hex editor! Oooohh! And the NYT tries to explain what that means, defining a hex editor as "software that allows users to preview the
      • This is what I always wondered about these extortion attemps .. The money is always traceable. Even if you use paypall or something, the money has to go somewhere. Unless we're talking about a scammer in Nigeria, I think it should be pretty straightforward to catch anyone trying this.

        Same goes for spammers .. They're always trying to sell something, just follow where the money's going.

    • >I really don't believe any legitimate business would think
      >it made sense to pay some hacker millions of dollars in extortion money.

      Hey - ask around.

      I've had many conversations about black hats and what to do about them if you find things as innocuous as a rogue FTP server running on one of our hosting systems.

      One interesting comment has been that an organization is inviting war on themselves when they kick our these kinds of squatters...best bet is to lay down ground rules for them so they don't affe
  • by pmdata ( 861264 ) on Sunday August 07, 2005 @07:07PM (#13266111)
    Nothing will change until a large attack steals congressional credit card numbers, blacks-out the entire East Coast for two weeks, diverts Taco Bell supply trucks to Canada, or shuts down all the free porn sites. We are a reactionary society. Even when tools like encryption and AV are practically free, 99.9% of the population won't use them until something really bad happends or they are forced. Security WILL be forced upon us after a "Digital Pearl Harbor" touches us all. It's not a matter of if, but when.
    • by Anonymous Coward
      Nothing will change until a large attack steals congressional credit card numbers, blacks-out the entire East Coast for two weeks, diverts Taco Bell supply trucks to Canada, or shuts down all the free porn sites.

      Dammit, are you trying to get Canada to launch a preemptive nuclear strike against the US?

      Mark Edwards
      --
      Proof of Sanity Forged Upon Request

    • If M$ marketting, executive and legal were to die off tomorrow, users would be forced to seek a sys admin or learn (or get a Mac, which is STILL a step up)... which means, there would be less idiots on the net. Its about the same as requesting that ALL drivers be forced to KNOW how to identify and check fluids, and ANY damage done by negligence should be charged triple at the repair shop (just imagine those head gaskets being charged to some idiot at triple rate!!) A law like that would mean that I would
  • Subtle crooks (Score:3, Insightful)

    by whitehatlurker ( 867714 ) on Sunday August 07, 2005 @07:31PM (#13266204) Journal
    Has this not been on /. before?

    There seems to be a lot of comment about the case, considering that he asked to have the cheque made out his own name [google.com].

    This line even appears in court documents (pdf) [4law.co.il].

  • Why do we have to put up with this stupid NYT reg crap?? ... Keep this rag with its registration requirements where it belongs... in the trashcan... unless a non-reg link can be provided in the original article.... Just my .02 cnts
  • When I was an Intern as a sysadmin a couple of years ago in a quite big company, i had access to all the Domain servers and could see all the accounts.

    I asked my supervisor if all those accounts were in use. He didn't know. I did a bit of research, and found out that between 5% and 10% of the accounts were belonging to old Interns, Employees that left, or ppl that changed group. In a company with 15000 Employes, that makes a really big bunch of wandering accounts. No wonder why people can find 1 or 2 accoun

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...