"NCA has people with skills like Caffrey's"
But not so much to secure their data it seems...
A UK-based computer hacker has admitted stealing hundreds of usernames and email addresses from a US military communications system. Sean Caffrey, 25, of Sutton Coldfield in the West Midlands, broke in and pinched the ranks, usernames and email addresses of more than 800 users of a satellite communications system and of about …
"But not so much to secure their data it seems..."
That's where the $628,000 comes from. $1000 of man-hours to inform the victims of the leaked data (being generous!) and the other $627,000 to implement the security that should have been in place already.
If physical crime was treated like cyber-crime:
- A thief breaks through your flimsy front door and makes off with the £10 you left nearby to pay the window-cleaners with.
- You spend £3000 getting a new steel-reenforced door professionally fitted with two locks, those slidy things top and bottom, and a lock McGuyver would struggle to pick.
- The thief is now liable for £3010.
And to think it only took less than 2 decades for this fairly sane decision to be made.
Perhaps the UK might think about dumping that asymmetric extradition treaty Blair signed when he was so loved up with Bush?
Let's hope no one tells the D otherwise expect a flurry of angry tweets in 3..2..1.
My guess is that he's a fuckwit. Now looks can be deceiving, but in the photo he's either been up all night or he looks a bit "challenged". I would hypothesise that he didn't really know what he was doing and was either directed by someone else or, more likely, found some toolkit on a forum somewhere a "gave it a crack". To not even use Tor for the hacking or, better, use Tor to research how to hack shit without leaving a dirty great Hansel and Gretel trail to your bedroom smacks of ineptitude. Unencrypted bounty on the HDD just adds to it.
Presumably because the DoD internal police doesn't really talk to furriners and the FBI does and you need to confirm the suspected stolen data is real stolen data and not, y'know made up (because the suspect is actually a crazy fantasist, or something)?
I know, sounds pretty far fetched to me as I was typing it.
And very shortly, I predict, the perpetrator will claim to fall within the autistic spectrum (high end, of course).
Doesn't that only come in play when someone is tagged for extradition? Not that I buy the fact that someone on the autistic spectrum cannot tell right from wrong or isn't able to construct a model that is an equivalent thereof, but I do appreciate giving non-US people the same means to avoiding extradition as Americans get when they have committed crimes abroad. I like reciprocity.
"Well just like everything else, I'd ask for a breakdown of the costs."
I reckon the calculation will be something like $20 per phone and $10 per user to reset details with some extra to cover the costs of going out to dinner to discuss making the changes, he is lucky they didn't include the cost to promote all the users to change their rank.
No surprises at the cost; no one else remember the Craig Niedorf case, regarding the E911 document? Valued by AT&T at $79,499 at trial, it was demonstrated that document was available freely from ATT for the sum of thirteen dollars. The prosecution needed a big number to make the alleged crime sound heinous.
It's detailed in Part Four of Bruce Stirlings freely available book The Hacker Crackdown
Lets do the breakdown:
PR budget to cover embarrassment: $400,000
IT Consultancy to configure our systems securely: $200,000
Company Time Investigating breach and management meetings: $27,900
Engineer time triggering a rotating rebuild of the servers: $100
Thus, the actual damages legally due in court $100
The cost has come from changing usernames for everyone. If they are a security-conscious organisation <cough> then if the usernames are exposed then that is potentially serious, as that's half of what you need in order to gain access. It's just the password left to crack. So the answer would be to invalidate the usernames to re-secure the system.
Nothing annoys me more than the US military whining that they got owned in some stupid embarrassing way by some kid in his bedroom and then making up huge sums of money and acting like they're in a shooting war with the Russians. I guess it's an easier way to get budget than to you know ASK for some security in the first place.
I think the thing people find very odd about the DoD is this.
Despite being in the habit of invading foreign countries (they seem to have started getting over Viet Nam when they invaded Grenada and have been putting in regular practice ever since) and having one of the words biggest and most technologically advanced armies on the planet they don't seem to absorbed one simple lesson.
Quite a lot of people don't like them.
That, plus the fact they have various assorted kinds of information that could be financially or militarily beneficial for unauthorized outsiders to know, means that they are (to coin a phrase)
"A big f**king target."
Despite this they seem to behave with an attitude to IT security that would embarrass, say McDonalds.
It's 2017 and it seems parts of the DoD still think this is the 1970's.
"Sean Caffrey .. broke in and pinched the ranks, usernames and email addresses of more than 800 users .. Exactly how he did it isn't known:"
Are they still using the same passwordless Windows image on all the machines?
"Intelligence showed the hack originated from his home internet connection"
Not much sign of intelligence there :)
Actually, this is the perfect example of a victimless crime - he got access and copied some data. Then did nothing with it. There is no victim here, just a system that requires securing.
A real world analogy would be a workplace that already had a broken lock, someone went in, took a picture, then left and did nothing with the picture. To then claim the person with the picture created damages equal to the price of a new lock is laughable.