Hackers Find Bugs, Extort Ransom, Call It a Public Service

Reader msm1267 shares a report on ThreatPost about an ongoing security trend: Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching and is becoming a growing new threat to businesses vulnerable to attacks.
Hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. Researchers say once the intruders steal the data, there's no explicit threat that they will break in again or release data if companies don't pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability
Typical bug poaching incidents start with criminals breaking into a network and stealing as much sensitive data as they can. Next, they post the data to a third-party cloud storage service. Lastly, the attackers email the company links to the data as proof the information was stolen and ask for a wire transfer of money in exchange for how the data was stolen.
During the attack, victims are not threatened with the public release of their data, instead attackers simply send a message that reads: "Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun."

It'd be a shame,,,,,

[dasgoober]

... If someone ELSE broke in and found the information, and then released it to the public - but I wouldn't do such a thing. ... heheheh

Garbage journalism

[ShanghaiBill]

... If someone ELSE broke in and found the information, and then released it to the public - but I wouldn't do such a thing. ... heheheh

According to TFA that is NOT what they are doing. Also, according to TFA, that is exactly what they are doing. When an article is written this incompetently, and contains contradictory statements, and zero actual examples, it is best not to draw conclusions from anything it says.

Private Enterprise at work finding holes

[BoRegardless]

Isn't this the way capitalism is supposed to work? Find a need and fill it?

Re:

[davester666]

Nope, if you incorporate, and then get valued at, say, $50mil or more, then you can probably do this legally, because you are in the "security" business.

Re:

[Anonymous Coward]

If a home security service broke into your house and left behind a pamphlet advertising their superior lock service for the low-low-discount price of only $1000, I suspect there would be more of a response than "What a great way to advertise a profitable business!"

Re:

[geekmux]

If a home security service broke into your house and left behind a pamphlet advertising their superior lock service for the low-low-discount price of only $1000, I suspect there would be more of a response than "What a great way to advertise a profitable business!"

Bad example.

It takes at least some skill and training to break into a network.

It takes an idiot with a brick to break into a house.

Which is exactly why you hear about the latter happening FAR more than the former, and therefore no shady tactics by home security companies are needed, only FUD sales tactics.

Re:

[scarboni888]

We were hoping you would take care of that, AC. AC??

Re:

[jthill]

This is the confusion the FBI et al. are capitalizing on. A physical lock that's more expensive to break than the value of what it's protecting would be absurd.

Re:

[gurps_npc]

Nope.
If I find a need for your home to require a fire alarm, I can't break into your home and install one, then demand money for the 'work' I did.

Re:Private Enterprise at work finding holes

[Qzukk]

Who's installing one?

What this sounds like is that they break in, find you have no fire alarm, then tell you "hey bud, you've got a major fire code violation on your hands. For $x, I'll tell you what it is. Otherwise, well, who knows what the next inspection will turn up?"

Re:

[geek]

Isn't this the way capitalism is supposed to work? Find a need and fill it?

Yes. They are called pentesters. These however are no pentesters.

Re:Private Enterprise at work finding holes

[fustakrakich]

It's also anti communist. The people that report bugs for free are being thrown into jail. Damn hippies!

Re:Private Enterprise at work finding holes

[bluefoxlucid]

Yes, and government is meant to regulate and facilitate capitalism. Faced with a need, hundreds of frauds will try to sell you a useless product or service, and others will attempt to manufacture a need by such methods as causing you harm and selling you the means to repair said harm. Governments place regulations and laws providing standards and punishment for such actions so that such exchanges are voluntary and beneficial.

Until the FBI shows up

[captaindomon]

It's all fun and games and your "living" until the FBI (or insert your country's equivalent here) breaks your door down at 3:00 AM. Try to convince a judge "I broke into his house and stole his cat and held it ransom because I wanted to let him know his windows are breakable."

Re:

[barbariccow]

terrible analogy - you'd have to break in and make a clone of the cat and take that clone to be even a little bit close.

Not according to RIAA and the supporting court system..

Re: Until the FBI shows up

[phorm]

I don't know that the RIAA would have a problem with the midget porn, unless it had a copyrighted soundtrack.

After all ,they look after the music industry, not the little guys.

Headline should be...

[mongothesecond]

Bug bounty participants decide they want a raise.

Re:

[Colin Castro]

More that they wanted to get paid at all, how many times have we heard of bounty programs not paying out or lying?

Why not?

[fustakrakich]

The good Samaritans are being being treated like criminals anyway. This makes it worth the risk. We can blame the authorities for this turn of events. Treat people like criminals, you're gonna get criminals.

Re:

[Anonymous Coward]

I'll always be amazed by the intellectual hoops some people will jump through to blame anyone but themselves for their own choice of actions.

Re:

[fustakrakich]

Right or wrong, most people will follow the example that leads to the highest rewards.

Re:

[AK Marc]

That statement has a chance of being true only if the poster has done it. When the corporate overlords are acting evilly, why is a character flaw to act similarly in response?

Work both ends...like the cable companies

[xxxJonBoyxxx]

>> Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun

If that's true, then these enterprising young job creators are missing a viable revenue stream: also selling copies of the data. (In other words, anyone who says this is still full of it.)

Re:

[wierd_w]

I dont extort money from people this way, nor do I attack production systems to find vulnerabilities. (The most I do is set up my own deployment, and then do horrible things to that, and then only out of personal curiosity)

However, I feel compelled to point out-- Not everyone is a sociopathic ass weasle. For some, the extortion of money is more a means than an end. In other words, they dont really want the money, the demand for money is just something used to coerce the corporate overlords they see running

Re:Work both ends...like the cable companies

[Gavagai80]

If it's genuinely not about the money, demand that the company donate the specified amount to a specified charity.

Re:

[UsuallyReasonable]

If you don't understand how tax law works, posting comments regarding it is a bad idea. Tax deductibility does not make something free.

Re:

[wierd_w]

That's how you get "sued then ignored."

Holding the data makes them have to take you seriously.

It's a terrible thing, but the downward spiral is being driven by the obsinate corporation's sociopathy, not the grey hats.

Post More FUD

[zenlessyank]

Meanwhile corporations put profit over security. Some body calls them out for it and they claim terrorism. Fix your shit or get owned. Blaming somebody for walking in front door when you left the door unlocked is stupid. This is the real world. Not some fantasy place where your wish is everyone else's command. Self righteous spin will come back to haunt you.

Re:Post More FUD

[bluefoxlucid]

Corporations are minimizing *cost*; profits are not directly under corporate control. When you reduce cost, you can reduce price to take a stronger market position--and that works until your competitor does the same, at which point you need to reduce cost further and get in line with whatever your profit margin was in the first place.

That's usually a maximizing strategy. Spending excess for something (e.g. security) means something else is not made, because that consumes labor; likewise, the uptick in a product's cost means the price goes up, and thus consumers can't buy as many other things with their income (which, happily, aligns with the "the people who were making other things are now busy making this thing instead" problem). Couple that with technical progress and you get phenomena such as food getting cheaper (30% of the median family's income in 1950, 14% of their income in 2000, 11% today) and people having better access to medical care, smart phones, or ALL THE OTHER SHIT THAT MAKES US ACTUALLY CARE ABOUT COMPUTER SECURITY.

I said *usually* a maximizing strategy. Even with computer security as today, these types of breaches carry a cost and, notably, they carry risk: that $30,000 cost isn't just a $30,000 cost, but the *potential* for lost customers and UNCONTROLLED COSTS. Those uncontrolled costs could be immeasurable: they could be millions, they could be a percentage of your business, or they could be a blunt disruption to operations resulting in either immediate failure *or* a temporary loss of operating ability shifting business toward a competitor and leading to a downward spiral of your business's market position until it ceases to be a business.

"We don't know how much we need to charge for our product to stay in business" tends to turn into "we need to charge more than our competitors, and are losing business because their products are cheaper", which tends to motivate businesses to deploy better security to control those risks. As we've seen, this isn't *always* true; it's typically *reasonably* true, and even the best security gets breached (something you're unfairly ignoring)--just much less often.

It's also true that, as you suggest, businesses will under-spend for security when that spending doesn't provide them a direct return due to the consequences being borne by the market. That is: security breaches generally cost a business unknown money, thus are addressed naturally as a risk; and security breaches *can* cost the consumer in ways which aren't covered by actions which protect the business, thus creating a gap in which a certain action would provide an economic benefit, but not be a natural action for a business to take.

That gap is filled by GOVERNMENT REGULATION. Use sparingly, but use where required.

So, business cost-minimizing and cost-controlling actions: Good. Government regulations: Good. These two things cover for each other. Without business behavior as such, we need some kind of command economy (Marxism, Communism); without government regulation as such, capitalism outright fails (we get anarchocapitalism and then corporatism, leading to fascism--corporate dictatorship by controlling market interest such that "voting with your dollars" creates widespread poverty and worse immediate problems than accepting the rule of the elite).

"honestly"????

[mark-t]

Like seriously anyone can possibly be expected to believe that?

If the person is willing to break the law and hack into somebody else's computer without permission, why the heck would they have any compunction about lying about not releasing the data? They've already showed willingness to ignore what the law requires them to do (or not do), so there is no reason to believe that they would not release the data.

Re:

[mark-t]

I didn't suggest that computer trespass was akin to murder though, did I? *YOU* were the one who brought up that comparison. I suggest only that computer trespass is akin to things such as fraud and theft, which is also what selling the data to someone else would be.

Re:

[Jumunquo]

And that is exactly the very valid point that was made - that is willingness to commit computer trespass and ask for money does not necessarily equate a willingness to release secret company information.

I can switch the question back onto you - why would the criminal not just threaten to release the info then? Wouldn't that be better at compelling you to pay the ransom? I'll try to make an educated guess here: I bet they are trying to give themselves an excuse for their behavior or they are following som

Re:"honestly"????

[mark-t]

I would suggest that it may very well be that the desire to at least offer a pretense that they have the best interests of the victim in mind... when in fact, if they genuinely had had their best interests at heart, they would not have chosen to deliberately break the law and hack into their system in the first place, and certainly not hold the details of how they did so for ransom.

Re:

[wierd_w]

Be careful with those bandwagon fallacies.

Like all actions undertaken by people, the issue revolves around motive.

If Motive == "Personal enrichment" Then
ExtortMoney="true"
SellStolenData="true"
Else
If Motive=="End-User security improvement" then
If LegitimateEthicalDisclosureSuccessful="True"
ExtortMoney="false"

Re:

[mark-t]

Nobody's forcing the hackers to hold the data hostage.... they could, if they really were so inclined to do things on the up-and-up, resorted to doing *LEGAL* things instead of breaking the law. The only reason they could ever somehow feel forced to sell or distribute the data in the event that they didn't get paid for the service of knowing how the hack was accomplished is because they broke the bloody law in the first place. In fact, the only logical reason I can think of for them to do things illegall

Re:

[wierd_w]

Want a specific example?

A few years ago, I was looking for a copy of a specific file, and constrained my google searches in such a way that I was getting only raw file indexes from google.

My crime: Using google.

What I found-- You know the Atlas experiment? Part of the LHC at CERN? They had an insecured, public facing HTTP server online that had the file I was looking for. The server was clearly not intended to be publicly facing: It had engineering data on the ATLAS detector, some preliminary data from t

Re:

[mark-t]

I would suggest a very pronounced difference here is that you weren't interested in causing any harm to them, financial or otherwise. Can't exactly say that about these guys here, can you?

Re:

[wierd_w]

If you note, that is precisely what I was pointing out-- it all revolves around the motive.

These days, in the climate of people being arrested for pointing out a serious issue, stumbled upon innocently, for technical infractions of modern antihacking laws-- The potential exists for people that just want to see the server fixed, having to resort to unscurpulous practices to see that this happens, where in the past a friendly letter sufficed.

In such cases, the "extortion" is only a means, not the end. The des

Re:

[mark-t]

People can only do the right thing, when it is safe for them to do the right thing.

Perhaps... but even not being safe to go out and actively do the right thing does not mean it should be acceptable to do something to harm or to exploit somebody else... which even at best, is still what these people are doing.

Re:

[wierd_w]

That's part of the problem here-- The person who makes the discovery is systematically excluded from being considered a "good guy", because under the prevailing laws, they did indeed access privileged information without proper authorization. That this happened accidentally, or as a result of a completely harmless search is not important, and the prosecutor will attack with vengence all the same.

This leaves this person, who wants to do what is right (or what they percieve to be right), stuck with only bad

Re:

[mark-t]

Assuming that the intrusion was accidental, you have given three options for consideration:

1) ignore the whole thing and hope nobody audits the logs.
2) Report the problem ethically, and risk being arrested for criminal hacking, and being drummed up as some dread pirate roberts of the hacking world, because some prosecutor has a hardon for being officious.
3) Report the problem as a zero day and get paid for it, and use the money to evade prosecution-- know that people WILL have their data stolen and expl

Re:

[wierd_w]

I agree, which is why i took option 2.

The problem is that when confronted with almost certain reprisal of the legal kind (corporations are sociopaths, and DO NOT engage ethically! if they can make you into a boogieman that just wanted to hard their customers, truth be damned-- it means that they can lie, say their systems are perfectly secure from most types of intrusion (despite the objective reality), and that by apprehending and prosecuting you, they have removed the threat to their customers. Their cust

Re:

[mark-t]

speaking for myself, since I cannot control what other people may or may not do, I do not allow whatever unethical responses I might expect from them to prevent me from acting ethically, because the choice to act ethically or not *is* something I can control. While it's not my desire to invite bad consequences into my own life, I'm ultimately still not responsible for how unethically other people might act, even if such responses can be theoretically anticipated in advance. I can only assume responsibili

Clever.Hacking less of a crime than blackmail?

[evolutionary]

Technically, prosecutors can't charge blackmail because they haven't said your data will be exposed unless you pay. They are only asking to be paid for how to patch the security flaw. (White hacking + data extraction) Of course the idea is to add "incentive" with the data being in public, unauthorized space. But they haven't said it would be leaked unless payment is given (or only take it down on the same terms). Of course the victim could turn that around and say, "before we discuss the merit of your services, let's say you remove all files the files I own from your server, allow me access that I may be satisfied to the fact it is destroyed and no spare copies exist, you tell me how your broke into my system and how to patch it up and in exchange I don't send your name, and your communications to me to the cyber crimes division of the FBI, it's a bargain considering the alternative, and some free advice in return for your assistance...stop short of actually stealing files before asking for a fee for your proactive "good citizenry". Appreciate your efforts".

Re:

[Stan92057]

"Quote"Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw."End Quote"

Yep that's blackmail, holding something they stole from you and demanding something in return to get it back/prevent being made public is blackmail/extortion/against the law. They are criminals no matter how its painted. they are no heroes they are not the good guy, the good guy will tell you and demand nothing but even then breaking into

Re:

[stephanruby]

"...let's say you remove all files the files I own from your server, allow me access that I may be satisfied to the fact it is destroyed and no spare copies exist...

So you're demanding root access to all his servers, email accounts, cloud accounts, passwords, phones, tablets, external drives, usb flash drives, SD Cards, burned DVDs, tape backups, any accounts of his friends and family, his garage, his home, his gym locker, any and all his body cavities, etc.

And even then, do you realize that even if he gave you all of these things, that it will never guarantee that the data "was destroyed and no spare copies exist". No, no. If your data has been compromised. It has bee

Re:

[rahvin112]

Access without permission is a violation of the CFAA and the penalties are severe.

from Ransomware to Ransom as a Service?

[Gravis Zero]

sounds like these blackhats just got their MBAs. ;)

Says the mercenary. . .

[smooth wombat]

as they put a loaded gun to the head of these criminals:

I do this job for a living, not for fun.

How to Be Taken Seriously 101

[penguinoid]

After decades of "We'll fix that as soon as possible (maybe 20 years)" or "How dare you threaten/embarrass us, you evil criminals!" as a response to disclosure of security vulnerabilities, I can sympathize with this course of action. After all, they're at about as much risk of legal action either way, in fact probably less this way.

Not a Ransom

[GezusK]

They're not threatening to release the data, so it's not a ransom. They're just not going to tell you how to do your job and secure your data. They're not going to get that service for free any where else...and at least this way they're not getting screwed by a real breach.

Re:

[Dareth]

There has been a breach and anyone involved is under obligation to report it as such. I am sure enough people will pay to keep it quiet and this type of action profitable.

Meh

[tsotha]

Whether or not this is actually extortion depends on whether or not the hackers release the data if the company decides not to pay. If the company says no and that's the end of it I can't get too excited, though the act of breaking in is itself illegal in most places.

Not a bad price

[BlueCoder]

Even if you a small company and frivolously sued lawyers will tell you to settle for anything less then 30K. Why? Because that is how much it is going to cost you to win the case.

If I owned two million dollars worth of personal stuff and a thief robbed me then offered to return everything for 30K and tell me how he robbed me so I could fix the problem with my security.... I would think 30k for 2 million would be a bargain.

The public service here is that the company was lax in protecting their data and takin

It's all fun and games until....

[Tempest451]

You try to extort the wrong "organization" and they come knocking at your door.