Feeds

BOFH-loving botmaster wants life as security consultant

Feds want him in prison

The Essential Guide to IT Transformation

An American security consultant who stole hundreds of thousands of online bank passwords by employing a massive botnet that he often administered from work deserves at least five years in prison, prosecutors have told a federal judge.

The request for a minimum 60-month sentence, followed by five years of supervised release, came in the case of John Kenneth Schiefer of Los Angeles, who in November of 2007 admitted he was the hacker known alternately as Acid and Acidstorm and wielded a 250,000-strong bot army.

Prosecutors rejected Schiefer's arguments that he should be allowed to continue working as a security consultant, saying the stiff penalty was justified by the extreme callousness and brazenness of his offenses.

"The widespread, pernicious, and malicious manner in which this crime occurred favors a lengthy custodial sentence," prosecutors wrote in court documents filed earlier this month. "Defendant nonetheless offers his own self-serving claim that his malicious software did not damage the computers that he infected. Defendant should not be believed."

To back up their claims, the prosecutors, from the US Attorneys Office in Los Angeles, recited a litany of aggravating factors, including Schiefer's "bullying" of underage hacking accomplices to engage in theft using his malware. "Quit being a bitch and claim it," Schiefer told an juvenile apprentice named Adam, according to court documents.

Prosecutors also claimed Schiefer's crimes were especially egregious because he passed along pilfered usernames and passwords to fellow identity thieves, which means victims continued to suffer long after Schiefer was through with them. He also committed his offenses while on parole on a prior conviction and from his place of employment as a security consultant at Los Angeles-based 3G Communications.

The 31-page document came in response to a court pleading Schiefer's attorney filed under seal in the case. According to the prosecutors' memorandum filed in US District Court in Los Angeles, the defense argued that based on a host of mitigating circumstances, Schiefer should be allowed to continue working as a security consultant.

The defense attorney argued that the more lenient sentence was justified because Schiefer "ultimately did not steal much money" and because the malware he installed on more than 250,000 PCs caused little lasting damage, according to the government's pleading. Schiefer's attorney also said his history included a "substance abuse problem" and being "the target of sexual abuse."

The attorney, Sonia Chahin, was traveling and not available for comment. Responding to an emailed request for comment, someone using Schiefer's email sent a reply via a Blackberry smartphone that read simply: "Dan you are bofh?". In a follow-up email he said he's spent the past 15 months "working as a professional in the security/tech scene." He added that he is currently a network engineer for an internet startup, but didn't say which one.

Schiefer will be sentenced in the same federal courthouse where fellow botmaster James Ancheta received five years in 2006 after pleading guilty to felony hacking charges. Schiefer's hearing is scheduled for February 25.

Based on the facts laid out in public portions of the case, it looks likely Schiefer could face a substantial time in prison, said Mark Rasch, a former federal cyber prosecutor who is now a computer crimes specialist in Bethesda, Maryland.

"It seems to me that this kind of activity, which is deliberate, willful, harmful, malicious and where he is the leader of the activity and brings in other people to help him do it, there doesn't seem to be a lot of saving grace here," he said. "If this guy was allowed to be a security professional, it really destroys the reputation of other security professionals." ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.