Feeds

FBI hacked Russian hackers

New world order

  • alert
  • submit to reddit

Seven Steps to Software Security

Russian computer enthusiasts Alexey Ivanov and Vasiliy Gorshkov are in the United States just now answering charges that they broke into numerous remote servers and download proprietary information, customer databases and credit card details, and then attempted to extort money for 'security services' which, they assured their victims, would eliminate the holes exploited during the attacks.

Among the major scores they're credited with was the downloading of credit card details from 15,700 unfortunate Western Union customers.

Not so much leet as incredibly brazen, the pair typically exploited several well-known vulnerabilities in Win-NT for which patches were issued ages ago and persistently ignored by sysadmins with far better things to do than read a lot of dry security bulletins.

Interestingly, the FBI engaged in a little social engineering attack of its own, and actually lured the duo to the USA with a come-on from a phony security outfit eager to avail itself of their mad skillz.

Once the agents, who were posing as representatives of the fictional 'Invita' security firm, got the men on US soil, they put on a command performance, and persuaded the unlucky pair to give them a demonstration of their amazing prowess.

Naturally, the box the Feds supplied was rigged with every surveillance gizmo known to man. But our pair of Russian braniacs somehow failed to insist on using their own equipment, and played right into Unca Sam's hands.

We can only surmise that the two accessed their own boxes back in Russia to route their demo attack, or to download toolz, or to consult their favorite h4x0r how-to. In any event, the FBI was able to use data recorded by the rigged demo box to access the pair's own boxes in Russia, from which they got all the evidence needed to hang them.

Jurisdictional weirdness

It was, without question, one sweet sting; but what happened next strikes us as totally sketch. The FBI downloaded data from the suspects' comps, and then went to a judge for a search warrant, which was granted.

The Russian authorities had conspicuously declined to cooperate, the Feds note. Fair enough, but we don't know by what right the FBI thinks it can gain unauthorized access to a computer in a foreign country and use information so gained as evidence in court.

A brilliant sting seems tainted by a kind of haughtiness regarding national sovereignty. Had the unlucky pair voluntarily revealed this data on the strength of the FBI's acting job, we'd have our hats off to their ingenuity and theatrical skill. Had a Russian judge sanctioned the use of this data by a foreign government, we'd be delighted.

But when the US government lowers itself to the level of a common malicious hacker, and gets away with it in court regardless of the internal laws of the country where they performed this deed, we're prevented from applauding as we otherwise would.

A splendid sting, which if it had been handled right could have been as sweet as honey, was, we reckon, severely degraded by Yankee pragmatism and legalistic arrogance. ®

Related story

Russian Mafia uses NT flaws to raid Internet banks

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.