Feeds

BOFH-loving botmaster wants life as security consultant

Feds want him in prison

Using blade systems to cut costs and sharpen efficiencies

An American security consultant who stole hundreds of thousands of online bank passwords by employing a massive botnet that he often administered from work deserves at least five years in prison, prosecutors have told a federal judge.

The request for a minimum 60-month sentence, followed by five years of supervised release, came in the case of John Kenneth Schiefer of Los Angeles, who in November of 2007 admitted he was the hacker known alternately as Acid and Acidstorm and wielded a 250,000-strong bot army.

Prosecutors rejected Schiefer's arguments that he should be allowed to continue working as a security consultant, saying the stiff penalty was justified by the extreme callousness and brazenness of his offenses.

"The widespread, pernicious, and malicious manner in which this crime occurred favors a lengthy custodial sentence," prosecutors wrote in court documents filed earlier this month. "Defendant nonetheless offers his own self-serving claim that his malicious software did not damage the computers that he infected. Defendant should not be believed."

To back up their claims, the prosecutors, from the US Attorneys Office in Los Angeles, recited a litany of aggravating factors, including Schiefer's "bullying" of underage hacking accomplices to engage in theft using his malware. "Quit being a bitch and claim it," Schiefer told an juvenile apprentice named Adam, according to court documents.

Prosecutors also claimed Schiefer's crimes were especially egregious because he passed along pilfered usernames and passwords to fellow identity thieves, which means victims continued to suffer long after Schiefer was through with them. He also committed his offenses while on parole on a prior conviction and from his place of employment as a security consultant at Los Angeles-based 3G Communications.

The 31-page document came in response to a court pleading Schiefer's attorney filed under seal in the case. According to the prosecutors' memorandum filed in US District Court in Los Angeles, the defense argued that based on a host of mitigating circumstances, Schiefer should be allowed to continue working as a security consultant.

The defense attorney argued that the more lenient sentence was justified because Schiefer "ultimately did not steal much money" and because the malware he installed on more than 250,000 PCs caused little lasting damage, according to the government's pleading. Schiefer's attorney also said his history included a "substance abuse problem" and being "the target of sexual abuse."

The attorney, Sonia Chahin, was traveling and not available for comment. Responding to an emailed request for comment, someone using Schiefer's email sent a reply via a Blackberry smartphone that read simply: "Dan you are bofh?". In a follow-up email he said he's spent the past 15 months "working as a professional in the security/tech scene." He added that he is currently a network engineer for an internet startup, but didn't say which one.

Schiefer will be sentenced in the same federal courthouse where fellow botmaster James Ancheta received five years in 2006 after pleading guilty to felony hacking charges. Schiefer's hearing is scheduled for February 25.

Based on the facts laid out in public portions of the case, it looks likely Schiefer could face a substantial time in prison, said Mark Rasch, a former federal cyber prosecutor who is now a computer crimes specialist in Bethesda, Maryland.

"It seems to me that this kind of activity, which is deliberate, willful, harmful, malicious and where he is the leader of the activity and brings in other people to help him do it, there doesn't seem to be a lot of saving grace here," he said. "If this guy was allowed to be a security professional, it really destroys the reputation of other security professionals." ®

Boost IT visibility and business value

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.