back to article Brit hacker admits he siphoned info from US military satellite network

A UK-based computer hacker has admitted stealing hundreds of usernames and email addresses from a US military communications system. Sean Caffrey, 25, of Sutton Coldfield in the West Midlands, broke in and pinched the ranks, usernames and email addresses of more than 800 users of a satellite communications system and of about …

  1. Anonymous Coward
    Anonymous Coward

    "NCA has people with skills like Caffrey's"

    But not so much to secure their data it seems...

    1. frank ly

      Re: "NCA has people with skills like Caffrey's"

      Well no. Their skill is breaking into computer systems and 'stealing' other people's data. It's a vital skill nowadays and that's why everybody is doing it.

      1. John Lilburne
        Pirate

        Re: "NCA has people with skills like Caffrey's"

        breaking into computer systems and 'stealing' other people's data.

        I'm reliably informed that he could not have possibly 'stolen' anything as: Copying isn't theft.

        http://www.youtube.com/watch?v=IeTybKL1pM4

        1. Sooty
          Happy

          Re: "NCA has people with skills like Caffrey's"

          They might have "star trek style" computers :)

      2. Anonymous Coward
        Anonymous Coward

        Re: "NCA has people with skills like Caffrey's"

        I think you'd getting confused about who the National Crime Agency are and what they do. Just because its name forms a TLA and it contains the word "Agency" doesn't make it a spook outfit.

    2. Anonymous Coward
      Anonymous Coward

      Re: "NCA has people with skills like Caffrey's"

      "NCA has people with skills like Caffrey's"

      This guy?

    3. Anonymous Coward
      Anonymous Coward

      the BBC confirms today that *really* only North Korea has hackers

      Sciurus vulgaris?

      That word "squirrel", first attested in 1327, comes from the Anglo-Norman esquirel which is from the Old French escurel, the reflex of a Latin word sciurus. . .

      1. Anonymous Coward
        Facepalm

        Re: the BBC confirms today that *really* only North Korea has hackers

        "the BBC confirms today that *really* only North Korea has hackers"

        What a load of cyber-bollocks link

    4. John Brown (no body) Silver badge

      Re: "NCA has people with skills like Caffrey's"

      "But not so much to secure their data it seems..."

      That's where the $628,000 comes from. $1000 of man-hours to inform the victims of the leaked data (being generous!) and the other $627,000 to implement the security that should have been in place already.

      1. Suricou Raven

        Re: "NCA has people with skills like Caffrey's"

        If physical crime was treated like cyber-crime:

        - A thief breaks through your flimsy front door and makes off with the £10 you left nearby to pay the window-cleaners with.

        - You spend £3000 getting a new steel-reenforced door professionally fitted with two locks, those slidy things top and bottom, and a lock McGuyver would struggle to pick.

        - The thief is now liable for £3010.

        1. Alan Brown Silver badge

          Re: "NCA has people with skills like Caffrey's"

          - A thief breaks through your UNLOCKED AND WIDE OPEN flimsy front door

          There, fixed it for you.

  2. John Smith 19 Gold badge
    Unhappy

    OMG. He got 800 user account details and they did not press for extradition.

    And to think it only took less than 2 decades for this fairly sane decision to be made.

    Perhaps the UK might think about dumping that asymmetric extradition treaty Blair signed when he was so loved up with Bush?

    Let's hope no one tells the D otherwise expect a flurry of angry tweets in 3..2..1.

  3. Anonymous Coward
    Anonymous Coward

    Only a piffling $628,000?

    If you're going to make up a big number, you can do better than this.

    1. Pen-y-gors

      Re: Only a piffling $628,000?

      They should be paying him $628,000 as a pen testing consultancy fee.

    2. Anonymous Coward
      Anonymous Coward

      Re: Only a piffling $628,000?

      I assume they are following the usual practice of moving the decimal point five places right to get the figure they publish.

  4. eJ2095

    I Wonder

    Why he did it from his home internet??

    If he had the intellgince to borrow said usernames etc surley had the sense to not use his own isp..

    Hell i would not even use my own laptop

    1. Mark 65

      Re: I Wonder

      My guess is that he's a fuckwit. Now looks can be deceiving, but in the photo he's either been up all night or he looks a bit "challenged". I would hypothesise that he didn't really know what he was doing and was either directed by someone else or, more likely, found some toolkit on a forum somewhere a "gave it a crack". To not even use Tor for the hacking or, better, use Tor to research how to hack shit without leaving a dirty great Hansel and Gretel trail to your bedroom smacks of ineptitude. Unencrypted bounty on the HDD just adds to it.

      1. John Smith 19 Gold badge
        Coat

        "Unencrypted bounty on the HDD for the win."

        And they got it.

        Tor sounds like good SOP if one were planning something like this.

        Not suggesting it, just observing.

    2. Suricou Raven

      Re: I Wonder

      It's possible he is just a script kiddie who got lucky - spend his free time breaking into Wordpress blogs and harassing people on game servers, then one day his vulnerability scanner picks up a government server. He might not even have known what he was hacking.

  5. Your alien overlord - fear me

    If the rozzers found the data on his home computers, why did it need the help of the FBI and DoD to get a conviction?

    1. Doctor Syntax Silver badge

      "why did it need the help of the FBI and DoD to get a conviction?"

      Someone has to give evidence that that was the data that was copied and, govt being what it is, every dept. involved would insist on having their own bod there in case the others did it wrong.

      1. Anonymous Coward
        Anonymous Coward

        Well, now the FBI and DoD have confirmed the addresses, the spamming can commense. The PPI deadline is getting closer.

    2. PhilipN Silver badge

      Multinational crime : 2 components

      Cos the computer he used was in the U.K. And the program/data he accessed was in the US. The court needs direct evidence of both components ergo US agencies to provide it.

  6. John Smith 19 Gold badge
    Unhappy

    "why did it need the help of the FBI and DoD to get a conviction?"

    Presumably because the DoD internal police doesn't really talk to furriners and the FBI does and you need to confirm the suspected stolen data is real stolen data and not, y'know made up (because the suspect is actually a crazy fantasist, or something)?

    I know, sounds pretty far fetched to me as I was typing it.

    1. Andromeda451

      Re: "why did it need the help of the FBI and DoD to get a conviction?"

      On this side of the pond we can blame Congress..

  7. Fizzle
    Black Helicopters

    Within the autistic spectrum?

    And very shortly, I predict, the perpetrator will claim to fall within the autistic spectrum (high end, of course).

    1. Anonymous Coward
      Anonymous Coward

      Re: Within the autistic spectrum?

      And very shortly, I predict, the perpetrator will claim to fall within the autistic spectrum (high end, of course).

      Doesn't that only come in play when someone is tagged for extradition? Not that I buy the fact that someone on the autistic spectrum cannot tell right from wrong or isn't able to construct a model that is an equivalent thereof, but I do appreciate giving non-US people the same means to avoiding extradition as Americans get when they have committed crimes abroad. I like reciprocity.

  8. Anonymous Coward
    Anonymous Coward

    Costs....

    .."The US Department of Defense said it, get this, cost about $628,000 to fix the damage caused by the intrusion...."

    Well just like everything else, I'd ask for a breakdown of the costs.

    1. Toltec

      Re: Costs....

      "Well just like everything else, I'd ask for a breakdown of the costs."

      I reckon the calculation will be something like $20 per phone and $10 per user to reset details with some extra to cover the costs of going out to dinner to discuss making the changes, he is lucky they didn't include the cost to promote all the users to change their rank.

    2. Nolveys
      Black Helicopters

      Re: Costs....

      I'd ask for a breakdown of the costs.

      628 hammers.

  9. ShortLegs

    No surprises at the cost; no one else remember the Craig Niedorf case, regarding the E911 document? Valued by AT&T at $79,499 at trial, it was demonstrated that document was available freely from ATT for the sum of thirteen dollars. The prosecution needed a big number to make the alleged crime sound heinous.

    It's detailed in Part Four of Bruce Stirlings freely available book The Hacker Crackdown

    1. Mark 65

      I believe the big number is there to justify a request for a long sentence. You could hardly ask for years for $13.

  10. Ptol

    Costs?

    Lets do the breakdown:

    PR budget to cover embarrassment: $400,000

    IT Consultancy to configure our systems securely: $200,000

    Company Time Investigating breach and management meetings: $27,900

    Engineer time triggering a rotating rebuild of the servers: $100

    Thus, the actual damages legally due in court $100

  11. Valerion

    Perhaps

    The cost has come from changing usernames for everyone. If they are a security-conscious organisation <cough> then if the usernames are exposed then that is potentially serious, as that's half of what you need in order to gain access. It's just the password left to crack. So the answer would be to invalidate the usernames to re-secure the system.

    1. JeffyPoooh
      Pint

      Re: Perhaps

      Usernames are, very often (in general), just email addresses.

      So, one should *never* reveal one's email address... (?).

      1. Valerion

        Re: Perhaps

        They are also often NOT email addresses.

        In a sensitive, secured system, the username should bear no relation to the public email address used by the user.

  12. Pascal Monett Silver badge
    Flame

    "No one should think that cyber crime is victimless or that they can get away with it"

    Unless, of course, they hack some mother of two or a dude with his own personal company working from home.

    In that case, screw you innocent guy, we don't have the resources to find out who did it.

  13. Christian Berger

    The details would be interresting

    Was this an insecure website? Were the classes of bugs already widely known? If so, why didn't they hire people who know what they were doing when handling sensitive data.

  14. Bob Hoskins
    FAIL

    FAIL

    Nothing annoys me more than the US military whining that they got owned in some stupid embarrassing way by some kid in his bedroom and then making up huge sums of money and acting like they're in a shooting war with the Russians. I guess it's an easier way to get budget than to you know ASK for some security in the first place.

    1. John Smith 19 Gold badge
      WTF?

      "Nothing annoys me more..US military whining that they got owned..stupid embarrassing way"

      I think the thing people find very odd about the DoD is this.

      Despite being in the habit of invading foreign countries (they seem to have started getting over Viet Nam when they invaded Grenada and have been putting in regular practice ever since) and having one of the words biggest and most technologically advanced armies on the planet they don't seem to absorbed one simple lesson.

      Quite a lot of people don't like them.

      That, plus the fact they have various assorted kinds of information that could be financially or militarily beneficial for unauthorized outsiders to know, means that they are (to coin a phrase)

      "A big f**king target."

      Despite this they seem to behave with an attitude to IT security that would embarrass, say McDonalds.

      It's 2017 and it seems parts of the DoD still think this is the 1970's.

  15. Anonymous Coward
    Facepalm

    Not much sign of intelligence there

    "Sean Caffrey .. broke in and pinched the ranks, usernames and email addresses of more than 800 users .. Exactly how he did it isn't known:"

    Are they still using the same passwordless Windows image on all the machines?

    "Intelligence showed the hack originated from his home internet connection"

    Not much sign of intelligence there :)

  16. scrubber
    WTF?

    "No one should think that cyber crime is victimless"

    Actually, this is the perfect example of a victimless crime - he got access and copied some data. Then did nothing with it. There is no victim here, just a system that requires securing.

    A real world analogy would be a workplace that already had a broken lock, someone went in, took a picture, then left and did nothing with the picture. To then claim the person with the picture created damages equal to the price of a new lock is laughable.

    1. Bob Hoskins

      Re: "No one should think that cyber crime is victimless"

      That's a good analogy. In fact it makes the point perfectly.

  17. Kaltern
    Big Brother

    But he COULD be a Communist.

  18. cortland

    That's

    That's an *interesting* charge.

    I'm imagining three officers with handcuffs standing by a dialysis machine reading their arrest warrant:

    "You're charged with causing a security breach with code written forty years ago... You'll have to come with us, sir."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like