Feeds

BOFH-loving botmaster wants life as security consultant

Feds want him in prison

Reducing security risks from open source software

An American security consultant who stole hundreds of thousands of online bank passwords by employing a massive botnet that he often administered from work deserves at least five years in prison, prosecutors have told a federal judge.

The request for a minimum 60-month sentence, followed by five years of supervised release, came in the case of John Kenneth Schiefer of Los Angeles, who in November of 2007 admitted he was the hacker known alternately as Acid and Acidstorm and wielded a 250,000-strong bot army.

Prosecutors rejected Schiefer's arguments that he should be allowed to continue working as a security consultant, saying the stiff penalty was justified by the extreme callousness and brazenness of his offenses.

"The widespread, pernicious, and malicious manner in which this crime occurred favors a lengthy custodial sentence," prosecutors wrote in court documents filed earlier this month. "Defendant nonetheless offers his own self-serving claim that his malicious software did not damage the computers that he infected. Defendant should not be believed."

To back up their claims, the prosecutors, from the US Attorneys Office in Los Angeles, recited a litany of aggravating factors, including Schiefer's "bullying" of underage hacking accomplices to engage in theft using his malware. "Quit being a bitch and claim it," Schiefer told an juvenile apprentice named Adam, according to court documents.

Prosecutors also claimed Schiefer's crimes were especially egregious because he passed along pilfered usernames and passwords to fellow identity thieves, which means victims continued to suffer long after Schiefer was through with them. He also committed his offenses while on parole on a prior conviction and from his place of employment as a security consultant at Los Angeles-based 3G Communications.

The 31-page document came in response to a court pleading Schiefer's attorney filed under seal in the case. According to the prosecutors' memorandum filed in US District Court in Los Angeles, the defense argued that based on a host of mitigating circumstances, Schiefer should be allowed to continue working as a security consultant.

The defense attorney argued that the more lenient sentence was justified because Schiefer "ultimately did not steal much money" and because the malware he installed on more than 250,000 PCs caused little lasting damage, according to the government's pleading. Schiefer's attorney also said his history included a "substance abuse problem" and being "the target of sexual abuse."

The attorney, Sonia Chahin, was traveling and not available for comment. Responding to an emailed request for comment, someone using Schiefer's email sent a reply via a Blackberry smartphone that read simply: "Dan you are bofh?". In a follow-up email he said he's spent the past 15 months "working as a professional in the security/tech scene." He added that he is currently a network engineer for an internet startup, but didn't say which one.

Schiefer will be sentenced in the same federal courthouse where fellow botmaster James Ancheta received five years in 2006 after pleading guilty to felony hacking charges. Schiefer's hearing is scheduled for February 25.

Based on the facts laid out in public portions of the case, it looks likely Schiefer could face a substantial time in prison, said Mark Rasch, a former federal cyber prosecutor who is now a computer crimes specialist in Bethesda, Maryland.

"It seems to me that this kind of activity, which is deliberate, willful, harmful, malicious and where he is the leader of the activity and brings in other people to help him do it, there doesn't seem to be a lot of saving grace here," he said. "If this guy was allowed to be a security professional, it really destroys the reputation of other security professionals." ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.