The 2007 security hall of shame
- — 27 December, 2007 07:47
... and your 2007 poster boys
Consultant turns bot herder: John Schiefer This former security consultant at 3G Communications of Los Angeles admitted in November to running a huge botnet of a quarter million PCs that infected other machines with adware programs, and to using spyware to steal bank and PayPal account information. He faces 60 years in prison on four felony charges, including wire and bank fraud and illegally accessing protected computers. Court documents say his cohorts, including several minors, infected over 135,000 PCs with a password-stealing Trojan program and then used the stolen data to access PayPal and other financial accounts.
Exit strategy: Gary Min In the five months before he left DuPont for a scientist position at a rival company, Gary Min quietly accessed and downloaded confidential company documents valued at an estimated US$400 million. During that time, he downloaded and accessed more than 15 times as many documents as the next most active user of the DuPont database system, but he wasn't caught until after he left the company for the rival firm. He admitted in November 2006 to stealing DuPont trade secrets; the case became public in January after details were unsealed by a federal prosecutor. A US District Court judge, in November sentenced Min to 18 months in prison and ordered him to pay a US$30,000 fine and US$14,500 in restitution to DuPont. The sentence is substantially less than the maximum of 10 years in prison and a US$250,000 fine that Min might have received.
Don't drop the soap: Ivory Dickerson This North Carolina native and former civil engineer was sentenced in December to 110 years in prison after admitting that he and a co-conspirator hacked into computers used by young girls and used illicitly gained data with which to terrorize them into sending lurid photos of themselves. Dickerson trolled MySpace to find underage girls in the Broward County, Florida, area. When he made contact with a potential victim (via IM or e-mail), he'd entice them into opening a file containing a Trojan program that gave him and a co-conspirator control over her computer. He would then try to use hacked information to coerce the girls into sending photos -- threatening to harm them or their families if they refused. The investigation revealed not only photos of various teenagers, but a number of bestiality photos as well, ensuring that disgust about Dickerson is shared around the food chain.
Unbirthday boy: Yung-Hsun Lin Lin, a former Unix system administrator at Medco Health Solutions' New Jersey, office, pled guilty in September to planting a logic bomb that would have destroyed critical data -- including prescription drug data for individuals -- on more than 70 servers. He planted the bomb in the belief he would lose his job after Medco was spun off from drug maker Merck & Co. in 2003. The bomb was first set to go off on Lin's birthday on 2004, but when it failed to work he reset the clock for it to go off ion the same date the following year. The bomb was discovered in early January 2005, months before it was scheduled to be triggered. Lin pleaded guilty to one count transmitting computer code with the intent of causing damage in excess of US$5,000. He is scheduled to be sentenced on January 8. He faces a maximum 10-year sentence and US$250,000 fine.
Pick a hat already: Maxwell Butler Also known as Max Vision, this former security consultant was indicted in September by a federal jury on three counts of wire fraud and two counts of transferring stolen identity information. Butler, who used various online aliases, including Iceman, Digits and Aphex, hacked multiple computer networks of financial institutions and card processing firms, selling the account and identity information he stole from those systems. He even made a cut on the profits his accomplices made by selling merchandise that was purchased using the stolen payment card information.
But here's the thing: Butler was once well known in the security community as a researcher. In 2000, he pleaded guilty to one felony county for breaking into protected military and government computers and served jail time for that. He was also accused of hacking into the networks of the developers of PC games Doom and Quake, and stealing several hundred access passwords to a California Internet service provider. During that trial, it was revealed that he had been an FBI informant for at least two years.