Feeds

BOFH-loving botmaster wants life as security consultant

Feds want him in prison

High performance access to file storage

An American security consultant who stole hundreds of thousands of online bank passwords by employing a massive botnet that he often administered from work deserves at least five years in prison, prosecutors have told a federal judge.

The request for a minimum 60-month sentence, followed by five years of supervised release, came in the case of John Kenneth Schiefer of Los Angeles, who in November of 2007 admitted he was the hacker known alternately as Acid and Acidstorm and wielded a 250,000-strong bot army.

Prosecutors rejected Schiefer's arguments that he should be allowed to continue working as a security consultant, saying the stiff penalty was justified by the extreme callousness and brazenness of his offenses.

"The widespread, pernicious, and malicious manner in which this crime occurred favors a lengthy custodial sentence," prosecutors wrote in court documents filed earlier this month. "Defendant nonetheless offers his own self-serving claim that his malicious software did not damage the computers that he infected. Defendant should not be believed."

To back up their claims, the prosecutors, from the US Attorneys Office in Los Angeles, recited a litany of aggravating factors, including Schiefer's "bullying" of underage hacking accomplices to engage in theft using his malware. "Quit being a bitch and claim it," Schiefer told an juvenile apprentice named Adam, according to court documents.

Prosecutors also claimed Schiefer's crimes were especially egregious because he passed along pilfered usernames and passwords to fellow identity thieves, which means victims continued to suffer long after Schiefer was through with them. He also committed his offenses while on parole on a prior conviction and from his place of employment as a security consultant at Los Angeles-based 3G Communications.

The 31-page document came in response to a court pleading Schiefer's attorney filed under seal in the case. According to the prosecutors' memorandum filed in US District Court in Los Angeles, the defense argued that based on a host of mitigating circumstances, Schiefer should be allowed to continue working as a security consultant.

The defense attorney argued that the more lenient sentence was justified because Schiefer "ultimately did not steal much money" and because the malware he installed on more than 250,000 PCs caused little lasting damage, according to the government's pleading. Schiefer's attorney also said his history included a "substance abuse problem" and being "the target of sexual abuse."

The attorney, Sonia Chahin, was traveling and not available for comment. Responding to an emailed request for comment, someone using Schiefer's email sent a reply via a Blackberry smartphone that read simply: "Dan you are bofh?". In a follow-up email he said he's spent the past 15 months "working as a professional in the security/tech scene." He added that he is currently a network engineer for an internet startup, but didn't say which one.

Schiefer will be sentenced in the same federal courthouse where fellow botmaster James Ancheta received five years in 2006 after pleading guilty to felony hacking charges. Schiefer's hearing is scheduled for February 25.

Based on the facts laid out in public portions of the case, it looks likely Schiefer could face a substantial time in prison, said Mark Rasch, a former federal cyber prosecutor who is now a computer crimes specialist in Bethesda, Maryland.

"It seems to me that this kind of activity, which is deliberate, willful, harmful, malicious and where he is the leader of the activity and brings in other people to help him do it, there doesn't seem to be a lot of saving grace here," he said. "If this guy was allowed to be a security professional, it really destroys the reputation of other security professionals." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.