Feeds

BOFH-loving botmaster wants life as security consultant

Feds want him in prison

Top 5 reasons to deploy VMware with Tegile

An American security consultant who stole hundreds of thousands of online bank passwords by employing a massive botnet that he often administered from work deserves at least five years in prison, prosecutors have told a federal judge.

The request for a minimum 60-month sentence, followed by five years of supervised release, came in the case of John Kenneth Schiefer of Los Angeles, who in November of 2007 admitted he was the hacker known alternately as Acid and Acidstorm and wielded a 250,000-strong bot army.

Prosecutors rejected Schiefer's arguments that he should be allowed to continue working as a security consultant, saying the stiff penalty was justified by the extreme callousness and brazenness of his offenses.

"The widespread, pernicious, and malicious manner in which this crime occurred favors a lengthy custodial sentence," prosecutors wrote in court documents filed earlier this month. "Defendant nonetheless offers his own self-serving claim that his malicious software did not damage the computers that he infected. Defendant should not be believed."

To back up their claims, the prosecutors, from the US Attorneys Office in Los Angeles, recited a litany of aggravating factors, including Schiefer's "bullying" of underage hacking accomplices to engage in theft using his malware. "Quit being a bitch and claim it," Schiefer told an juvenile apprentice named Adam, according to court documents.

Prosecutors also claimed Schiefer's crimes were especially egregious because he passed along pilfered usernames and passwords to fellow identity thieves, which means victims continued to suffer long after Schiefer was through with them. He also committed his offenses while on parole on a prior conviction and from his place of employment as a security consultant at Los Angeles-based 3G Communications.

The 31-page document came in response to a court pleading Schiefer's attorney filed under seal in the case. According to the prosecutors' memorandum filed in US District Court in Los Angeles, the defense argued that based on a host of mitigating circumstances, Schiefer should be allowed to continue working as a security consultant.

The defense attorney argued that the more lenient sentence was justified because Schiefer "ultimately did not steal much money" and because the malware he installed on more than 250,000 PCs caused little lasting damage, according to the government's pleading. Schiefer's attorney also said his history included a "substance abuse problem" and being "the target of sexual abuse."

The attorney, Sonia Chahin, was traveling and not available for comment. Responding to an emailed request for comment, someone using Schiefer's email sent a reply via a Blackberry smartphone that read simply: "Dan you are bofh?". In a follow-up email he said he's spent the past 15 months "working as a professional in the security/tech scene." He added that he is currently a network engineer for an internet startup, but didn't say which one.

Schiefer will be sentenced in the same federal courthouse where fellow botmaster James Ancheta received five years in 2006 after pleading guilty to felony hacking charges. Schiefer's hearing is scheduled for February 25.

Based on the facts laid out in public portions of the case, it looks likely Schiefer could face a substantial time in prison, said Mark Rasch, a former federal cyber prosecutor who is now a computer crimes specialist in Bethesda, Maryland.

"It seems to me that this kind of activity, which is deliberate, willful, harmful, malicious and where he is the leader of the activity and brings in other people to help him do it, there doesn't seem to be a lot of saving grace here," he said. "If this guy was allowed to be a security professional, it really destroys the reputation of other security professionals." ®

Security for virtualized datacentres

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.