Hacking Indictment

It's been a while since I've seen one of these sorts of news stories:

A Romanian man has been indicted on charges of hacking into more than 150 U.S. government computers, causing disruptions that cost NASA, the Energy Department and the Navy nearly $1.5 million.

The federal indictment charged Victor Faur, 26, of Arad, Romania, with nine counts of computer intrusion and one count of conspiracy. He faces up to 54 years in prison if convicted of all counts, said Thom Mrozek, spokesman for the U.S. Attorney's office, on Thursday.

Faur was being prosecuted by authorities in Romania on separate computer hacking charges, Mrozek said, and will be brought to Los Angeles upon resolution of that case. It was not known whether Faur had retained a lawyer in the United States.

Posted on December 4, 2006 at 12:48 PM • 20 Comments

Comments

PhilosopherDecember 4, 2006 1:42 PM

From the article link:
"main goal was to break into U.S. government computers because they are some of the securest machines in the world."

Uhmm, really? I'll never know, but according to another idiot who got caught says that a lot of US government systems are easy to break into.
http://news.bbc.co.uk/2/hi/technology/4715612.stm

"Hackers" like Faur and McKinnon probably know just enough to get themslves into trouble without understanding that the likelihood of prosecution is partly related to the chances of a successful conviction rather than the seriousness of their crime. Faur and his like certainly deserve to be punished but hopefully they won't get decades in jail for being stupid.

I wonder if the System Admins on the hacked boxes were disciplined?

AnonymousDecember 4, 2006 2:34 PM

I wonder if the System Admins on the hacked boxes were disciplined?

I'm one of the admins on a hacked boxes. What sort of discipline would you think it appropriate for me?

BunnyDecember 4, 2006 2:36 PM

Another extradition? I'm still waiting for an explanation by someone with a legal background of why he can't be tried in his home country if what he did was illegal there - and how he can be extradited if it wasn't.

DBHDecember 4, 2006 2:39 PM

@Bunny: Extradition is always for crimes that have jurisdiction in other states or countries. He can be extradited because treaties between the US and, e.g., Romania that allow for mutual extradition to face charges in the proper jurisdiction.

SusanaDecember 4, 2006 2:41 PM

@Anonymous
"I'm one of the admins on a hacked boxes. What sort of discipline would you think it appropriate for me?"

I think CBT is appropriate for you, little admin )

LaurDecember 4, 2006 2:44 PM

Apparently the extradition treaty between Romania and US dates from way back in 1924, and thus does not include computer crime. So mr. Faur (aka "SirVic" aka "the idiot") will sadly have no opportunity to experience firsthand the US justice system.

The prevalent question these days is another: what in the world were those computers doing online? If they're mission-critical (as the article suggests), this is a blatant breach of security. If they're not (as I actually suspect), the damage (and its monetary equivalent) may have been rather exaggerated.

Back to mr. Faur for a sec. Apparently (according to someone who knows him) his hacking skill are not much above the "script-kiddie" level. If both this fact and the security breach at NASA are true, I'm afraid that doesn't say anything good about NASA security protocols.

Paul TronsonDecember 4, 2006 3:10 PM

@ anonymous

"I'm one of the admins on a hacked boxes. What sort of discipline would you think it appropriate for me?"

How about grammer school?

Better yet, how about working with your peers to develop a consistent system hardening program in your environment(s)?

Then re-examine each "layer" of your defenses and come up with action plans to increase the effectiveness of each layer and/or add layers where none exist?

Think pro-active...not re-active...though one shouldn't shirk on the log review either.

;-)

AnonymousDecember 4, 2006 3:24 PM

"I'm one of the admins on a hacked boxes. What sort of discipline would you think it appropriate for me?"

Simple: meet the minimum requirements or leave the post.

Government boxes are supposed to meet some simple minimum security requirements. The last time I read about a GAO report on the security of various machines at various agengies, well, "woefully inadequate" is a paraphrase. As I vaguely recall, DHS was the most woefully inadequate, and the irony was not lost on the GAO.

On the other hand, if your hacked boxes don't need to be secured, then no action is necessary. Except if you want to avoid looking like an ass in the future.

RoyDecember 4, 2006 3:25 PM

Those mission-critical computers had to be online because the US Government fails to provide up-to-date crossword puzzles, word puzzles, actual news, pornography, or access to blogs, Amazon.com, and eBay. Being online is required even to view fake news.

Security theater is dismally boring. It's the nature of the beast.

While private industry (read 'corporate fascism') can spy at will on its employees, the government, alas, cannot do so with impugnity, simply because espionage is illegal.

Rob MayfieldDecember 4, 2006 3:42 PM

@Anonymous: I'm one of the admins on a hacked boxes. What sort of discipline would you think it appropriate for me?

... send him to the squid tank.

je_foxDecember 4, 2006 4:33 PM

@Anonymous: I'm one of the admins on a hacked boxes. What sort of discipline would you think it appropriate for me?

Well, actually I don't think you should be punished that much, it is the management that failed create and implement a comprehensive security concept, in spite of all audits and reports.

I don't think you alone have a chance of defending any one server 24/7, outside a perimeter.

That does not mean though that your performance was acceptable if the reports that these packages have been running for days on those machines are true.

octagonalDecember 4, 2006 6:56 PM

> it is the management that failed create and implement a comprehensive security concept, in spite of

I'm writing a long article at work (a long way from NASA) at the moment on this problem and related stuff (lots of the technical aspects of today's computer landscape don't help either).

Just today the boss overruled my attempt to include a "dreadful" category in the statistics.

AnonymousDecember 4, 2006 7:34 PM

"though one shouldn't shirk on the log review either."

That was in fact how he was found. There were logins where there shouldn't be, and upon investigation the extent of the trouble was found.

cmillsDecember 5, 2006 6:02 AM

I thought that you aren't supposed to promote personal or commercial websites on this post. Maybe you are capable of doing so, but you shouldn't, out of courtesy if nothing else.

Brink O'FrustrationDecember 5, 2006 8:40 AM

@ anonymous

"I'm one of the admins on a hacked boxes. What sort of discipline would you think it appropriate for me?"

Two weeks on a beach in San Diego and sympathy from those of us who also have to defend against a million possible attacks, while an attacker only has to find one vulnerability. We usually do not have a say in what systems become publicly accessible, we're just given a charge to defend them.

PhilosopherDecember 5, 2006 3:24 PM

@Andrew W

I'm curious.
What was the spelling problem? "Defenses"? Check it out: http://en.wikipedia.org/wiki/Defense

@Rob Mayfield

LOL

Now for a slightly more serious comment for all you System Admins. In my work environment, I have heard of cases where staff have been demoted, fired or jailed (military jail for service personnel) as punishment for playing with hacking tools or other security breaches.

P.S. Wouldn't it be nice to have a blog comment system with a spell checker facility?

mbridgeDecember 10, 2006 11:03 PM

In cases like this is it all too easy to blame the person who runs the computer, but that may be missing the bigger picture...

A Security Administrator is only as effective as the training they receive (formal and otherwise), the tools at their disposal, and the amount of authority they are allowed to weild. In a number of these cases the security people were trying to do their jobs, but were hamstrung by administrative issues (lack of power, lack of training, lack of concern on the part of their supervisors, etc).

Before anyone blames anyone, they should evaluate the process and procedures to see if it was a one-time break-down, or if it was a more systematic failure that needs to be studied and remedied.

Todd
CEO of MBridge
mbridge.com

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..