Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« MPAA Kills Anti-Pretexting Bill | Main | Remotely Eavesdropping on Cell Phone Microphones »
December 4, 2006
Hacking Indictment
It's been a while since I've seen one of these sorts of news stories:
A Romanian man has been indicted on charges of hacking into more than 150 U.S. government computers, causing disruptions that cost NASA, the Energy Department and the Navy nearly $1.5 million.The federal indictment charged Victor Faur, 26, of Arad, Romania, with nine counts of computer intrusion and one count of conspiracy. He faces up to 54 years in prison if convicted of all counts, said Thom Mrozek, spokesman for the U.S. Attorney's office, on Thursday.
Faur was being prosecuted by authorities in Romania on separate computer hacking charges, Mrozek said, and will be brought to Los Angeles upon resolution of that case. It was not known whether Faur had retained a lawyer in the United States.
Posted on December 4, 2006 at 12:48 PM • 20 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
From the article link:
"main goal was to break into U.S. government computers because they are some of the securest machines in the world."
Uhmm, really? I'll never know, but according to another idiot who got caught says that a lot of US government systems are easy to break into.
http://news.bbc.co.uk/2/hi/technology/4715612.stm
"Hackers" like Faur and McKinnon probably know just enough to get themslves into trouble without understanding that the likelihood of prosecution is partly related to the chances of a successful conviction rather than the seriousness of their crime. Faur and his like certainly deserve to be punished but hopefully they won't get decades in jail for being stupid.
I wonder if the System Admins on the hacked boxes were disciplined?
Posted by: Philosopher at December 4, 2006 1:42 PM
I wonder if the System Admins on the hacked boxes were disciplined?
I'm one of the admins on a hacked boxes. What sort of discipline would you think it appropriate for me?
Posted by: Anonymous at December 4, 2006 2:34 PM
Another extradition? I'm still waiting for an explanation by someone with a legal background of why he can't be tried in his home country if what he did was illegal there - and how he can be extradited if it wasn't.
Posted by: Bunny at December 4, 2006 2:36 PM
@Bunny: Extradition is always for crimes that have jurisdiction in other states or countries. He can be extradited because treaties between the US and, e.g., Romania that allow for mutual extradition to face charges in the proper jurisdiction.
Posted by: DBH at December 4, 2006 2:39 PM
@Anonymous
"I'm one of the admins on a hacked boxes. What sort of discipline would you think it appropriate for me?"
I think CBT is appropriate for you, little admin )
Posted by: Susana at December 4, 2006 2:41 PM
Apparently the extradition treaty between Romania and US dates from way back in 1924, and thus does not include computer crime. So mr. Faur (aka "SirVic" aka "the idiot") will sadly have no opportunity to experience firsthand the US justice system.
The prevalent question these days is another: what in the world were those computers doing online? If they're mission-critical (as the article suggests), this is a blatant breach of security. If they're not (as I actually suspect), the damage (and its monetary equivalent) may have been rather exaggerated.
Back to mr. Faur for a sec. Apparently (according to someone who knows him) his hacking skill are not much above the "script-kiddie" level. If both this fact and the security breach at NASA are true, I'm afraid that doesn't say anything good about NASA security protocols.
Posted by: Laur at December 4, 2006 2:44 PM
@ anonymous
"I'm one of the admins on a hacked boxes. What sort of discipline would you think it appropriate for me?"
How about grammer school?
Better yet, how about working with your peers to develop a consistent system hardening program in your environment(s)?
Then re-examine each "layer" of your defenses and come up with action plans to increase the effectiveness of each layer and/or add layers where none exist?
Think pro-active...not re-active...though one shouldn't shirk on the log review either.
;-)
Posted by: Paul Tronson at December 4, 2006 3:10 PM
"I'm one of the admins on a hacked boxes. What sort of discipline would you think it appropriate for me?"
Simple: meet the minimum requirements or leave the post.
Government boxes are supposed to meet some simple minimum security requirements. The last time I read about a GAO report on the security of various machines at various agengies, well, "woefully inadequate" is a paraphrase. As I vaguely recall, DHS was the most woefully inadequate, and the irony was not lost on the GAO.
On the other hand, if your hacked boxes don't need to be secured, then no action is necessary. Except if you want to avoid looking like an ass in the future.
Posted by: Anonymous at December 4, 2006 3:24 PM
Those mission-critical computers had to be online because the US Government fails to provide up-to-date crossword puzzles, word puzzles, actual news, pornography, or access to blogs, Amazon.com, and eBay. Being online is required even to view fake news.
Security theater is dismally boring. It's the nature of the beast.
While private industry (read 'corporate fascism') can spy at will on its employees, the government, alas, cannot do so with impugnity, simply because espionage is illegal.
Posted by: Roy at December 4, 2006 3:25 PM
@Anonymous: I'm one of the admins on a hacked boxes. What sort of discipline would you think it appropriate for me?
... send him to the squid tank.
Posted by: Rob Mayfield at December 4, 2006 3:42 PM
@Anonymous: I'm one of the admins on a hacked boxes. What sort of discipline would you think it appropriate for me?
Well, actually I don't think you should be punished that much, it is the management that failed create and implement a comprehensive security concept, in spite of all audits and reports.
I don't think you alone have a chance of defending any one server 24/7, outside a perimeter.
That does not mean though that your performance was acceptable if the reports that these packages have been running for days on those machines are true.
Posted by: je_fox at December 4, 2006 4:33 PM
> it is the management that failed create and implement a comprehensive security concept, in spite of
I'm writing a long article at work (a long way from NASA) at the moment on this problem and related stuff (lots of the technical aspects of today's computer landscape don't help either).
Just today the boss overruled my attempt to include a "dreadful" category in the statistics.
Posted by: octagonal at December 4, 2006 6:56 PM
"though one shouldn't shirk on the log review either."
That was in fact how he was found. There were logins where there shouldn't be, and upon investigation the extent of the trouble was found.
Posted by: Anonymous at December 4, 2006 7:34 PM
I thought that you aren't supposed to promote personal or commercial websites on this post. Maybe you are capable of doing so, but you shouldn't, out of courtesy if nothing else.
Posted by: cmills at December 5, 2006 6:02 AM
@ anonymous
"I'm one of the admins on a hacked boxes. What sort of discipline would you think it appropriate for me?"
Two weeks on a beach in San Diego and sympathy from those of us who also have to defend against a million possible attacks, while an attacker only has to find one vulnerability. We usually do not have a say in what systems become publicly accessible, we're just given a charge to defend them.
Posted by: Brink O'Frustration at December 5, 2006 8:40 AM
@ Paul Tronson
Grammar school for him. Spelling school for you? :-p
Posted by: Andrew W at December 5, 2006 2:04 PM
@Andrew W
I'm curious.
What was the spelling problem? "Defenses"? Check it out: http://en.wikipedia.org/wiki/Defense
@Rob Mayfield
LOL
Now for a slightly more serious comment for all you System Admins. In my work environment, I have heard of cases where staff have been demoted, fired or jailed (military jail for service personnel) as punishment for playing with hacking tools or other security breaches.
P.S. Wouldn't it be nice to have a blog comment system with a spell checker facility?
Posted by: Philosopher at December 5, 2006 3:24 PM
@Philosopher
The original bad spelling was "gramm_e_r school".
Posted by: octagonal at December 5, 2006 3:38 PM
In cases like this is it all too easy to blame the person who runs the computer, but that may be missing the bigger picture...
A Security Administrator is only as effective as the training they receive (formal and otherwise), the tools at their disposal, and the amount of authority they are allowed to weild. In a number of these cases the security people were trying to do their jobs, but were hamstrung by administrative issues (lack of power, lack of training, lack of concern on the part of their supervisors, etc).
Before anyone blames anyone, they should evaluate the process and procedures to see if it was a one-time break-down, or if it was a more systematic failure that needs to be studied and remedied.
Todd
CEO of MBridge
mbridge.com
Posted by: mbridge at December 10, 2006 11:03 PM
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Blog Menu |
SearchBlog Home Page
Archives by Date2012 J F
  |
| Latest Book |
more books by Bruce Schneier |
| Syndication |
|
Full Text Feed
Excerpts Feed |
| Translations |
|
German
Italian |
| Crypto-Gram Newsletter |
|
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more |
Comments