back to article Brit hacker admits he siphoned info from US military satellite network

A UK-based computer hacker has admitted stealing hundreds of usernames and email addresses from a US military communications system. Sean Caffrey, 25, of Sutton Coldfield in the West Midlands, broke in and pinched the ranks, usernames and email addresses of more than 800 users of a satellite communications system and of about …

Anonymous Coward

"NCA has people with skills like Caffrey's"

But not so much to secure their data it seems...

34
1
Silver badge

Re: "NCA has people with skills like Caffrey's"

Well no. Their skill is breaking into computer systems and 'stealing' other people's data. It's a vital skill nowadays and that's why everybody is doing it.

21
0
Anonymous Coward

Re: "NCA has people with skills like Caffrey's"

"NCA has people with skills like Caffrey's"

This guy?

4
0
Anonymous Coward

the BBC confirms today that *really* only North Korea has hackers

Sciurus vulgaris?

That word "squirrel", first attested in 1327, comes from the Anglo-Norman esquirel which is from the Old French escurel, the reflex of a Latin word sciurus. . .

1
0
Silver badge
Pirate

Re: "NCA has people with skills like Caffrey's"

breaking into computer systems and 'stealing' other people's data.

I'm reliably informed that he could not have possibly 'stolen' anything as: Copying isn't theft.

http://www.youtube.com/watch?v=IeTybKL1pM4

9
0
Happy

Re: "NCA has people with skills like Caffrey's"

They might have "star trek style" computers :)

0
0
Silver badge
Facepalm

Re: the BBC confirms today that *really* only North Korea has hackers

"the BBC confirms today that *really* only North Korea has hackers"

What a load of cyber-bollocks link

0
0
Silver badge

Re: "NCA has people with skills like Caffrey's"

I think you'd getting confused about who the National Crime Agency are and what they do. Just because its name forms a TLA and it contains the word "Agency" doesn't make it a spook outfit.

1
0
Silver badge

Re: "NCA has people with skills like Caffrey's"

"But not so much to secure their data it seems..."

That's where the $628,000 comes from. $1000 of man-hours to inform the victims of the leaked data (being generous!) and the other $627,000 to implement the security that should have been in place already.

0
0
Silver badge

Re: "NCA has people with skills like Caffrey's"

If physical crime was treated like cyber-crime:

- A thief breaks through your flimsy front door and makes off with the £10 you left nearby to pay the window-cleaners with.

- You spend £3000 getting a new steel-reenforced door professionally fitted with two locks, those slidy things top and bottom, and a lock McGuyver would struggle to pick.

- The thief is now liable for £3010.

0
0
Silver badge

Re: "NCA has people with skills like Caffrey's"

- A thief breaks through your UNLOCKED AND WIDE OPEN flimsy front door

There, fixed it for you.

1
0
Gold badge
Unhappy

OMG. He got 800 user account details and they did not press for extradition.

And to think it only took less than 2 decades for this fairly sane decision to be made.

Perhaps the UK might think about dumping that asymmetric extradition treaty Blair signed when he was so loved up with Bush?

Let's hope no one tells the D otherwise expect a flurry of angry tweets in 3..2..1.

21
0
Anonymous Coward

Only a piffling $628,000?

If you're going to make up a big number, you can do better than this.

16
0
Silver badge

Re: Only a piffling $628,000?

They should be paying him $628,000 as a pen testing consultancy fee.

15
1
Silver badge

Re: Only a piffling $628,000?

I assume they are following the usual practice of moving the decimal point five places right to get the figure they publish.

9
0

I Wonder

Why he did it from his home internet??

If he had the intellgince to borrow said usernames etc surley had the sense to not use his own isp..

Hell i would not even use my own laptop

10
0
Silver badge

Re: I Wonder

My guess is that he's a fuckwit. Now looks can be deceiving, but in the photo he's either been up all night or he looks a bit "challenged". I would hypothesise that he didn't really know what he was doing and was either directed by someone else or, more likely, found some toolkit on a forum somewhere a "gave it a crack". To not even use Tor for the hacking or, better, use Tor to research how to hack shit without leaving a dirty great Hansel and Gretel trail to your bedroom smacks of ineptitude. Unencrypted bounty on the HDD just adds to it.

4
0
Silver badge

Re: I Wonder

It's possible he is just a script kiddie who got lucky - spend his free time breaking into Wordpress blogs and harassing people on game servers, then one day his vulnerability scanner picks up a government server. He might not even have known what he was hacking.

2
0
Gold badge
Coat

"Unencrypted bounty on the HDD for the win."

And they got it.

Tor sounds like good SOP if one were planning something like this.

Not suggesting it, just observing.

0
0
Silver badge

If the rozzers found the data on his home computers, why did it need the help of the FBI and DoD to get a conviction?

9
0
Silver badge

"why did it need the help of the FBI and DoD to get a conviction?"

Someone has to give evidence that that was the data that was copied and, govt being what it is, every dept. involved would insist on having their own bod there in case the others did it wrong.

4
0
Bronze badge

Multinational crime : 2 components

Cos the computer he used was in the U.K. And the program/data he accessed was in the US. The court needs direct evidence of both components ergo US agencies to provide it.

3
0
Anonymous Coward

Well, now the FBI and DoD have confirmed the addresses, the spamming can commense. The PPI deadline is getting closer.

0
0
Gold badge
Unhappy

"why did it need the help of the FBI and DoD to get a conviction?"

Presumably because the DoD internal police doesn't really talk to furriners and the FBI does and you need to confirm the suspected stolen data is real stolen data and not, y'know made up (because the suspect is actually a crazy fantasist, or something)?

I know, sounds pretty far fetched to me as I was typing it.

3
0

Re: "why did it need the help of the FBI and DoD to get a conviction?"

On this side of the pond we can blame Congress..

1
0
Black Helicopters

Within the autistic spectrum?

And very shortly, I predict, the perpetrator will claim to fall within the autistic spectrum (high end, of course).

6
4
Anonymous Coward

Re: Within the autistic spectrum?

And very shortly, I predict, the perpetrator will claim to fall within the autistic spectrum (high end, of course).

Doesn't that only come in play when someone is tagged for extradition? Not that I buy the fact that someone on the autistic spectrum cannot tell right from wrong or isn't able to construct a model that is an equivalent thereof, but I do appreciate giving non-US people the same means to avoiding extradition as Americans get when they have committed crimes abroad. I like reciprocity.

4
0
Silver badge

Costs....

.."The US Department of Defense said it, get this, cost about $628,000 to fix the damage caused by the intrusion...."

Well just like everything else, I'd ask for a breakdown of the costs.

13
0
Bronze badge

Re: Costs....

"Well just like everything else, I'd ask for a breakdown of the costs."

I reckon the calculation will be something like $20 per phone and $10 per user to reset details with some extra to cover the costs of going out to dinner to discuss making the changes, he is lucky they didn't include the cost to promote all the users to change their rank.

2
0
Silver badge
Black Helicopters

Re: Costs....

I'd ask for a breakdown of the costs.

628 hammers.

8
0

No surprises at the cost; no one else remember the Craig Niedorf case, regarding the E911 document? Valued by AT&T at $79,499 at trial, it was demonstrated that document was available freely from ATT for the sum of thirteen dollars. The prosecution needed a big number to make the alleged crime sound heinous.

It's detailed in Part Four of Bruce Stirlings freely available book The Hacker Crackdown

12
0
Silver badge

I believe the big number is there to justify a request for a long sentence. You could hardly ask for years for $13.

0
0

Costs?

Lets do the breakdown:

PR budget to cover embarrassment: $400,000

IT Consultancy to configure our systems securely: $200,000

Company Time Investigating breach and management meetings: $27,900

Engineer time triggering a rotating rebuild of the servers: $100

Thus, the actual damages legally due in court $100

8
0

Perhaps

The cost has come from changing usernames for everyone. If they are a security-conscious organisation <cough> then if the usernames are exposed then that is potentially serious, as that's half of what you need in order to gain access. It's just the password left to crack. So the answer would be to invalidate the usernames to re-secure the system.

0
0
Silver badge
Pint

Re: Perhaps

Usernames are, very often (in general), just email addresses.

So, one should *never* reveal one's email address... (?).

4
0

Re: Perhaps

They are also often NOT email addresses.

In a sensitive, secured system, the username should bear no relation to the public email address used by the user.

0
0
Silver badge
Flame

"No one should think that cyber crime is victimless or that they can get away with it"

Unless, of course, they hack some mother of two or a dude with his own personal company working from home.

In that case, screw you innocent guy, we don't have the resources to find out who did it.

7
0
Silver badge

The details would be interresting

Was this an insecure website? Were the classes of bugs already widely known? If so, why didn't they hire people who know what they were doing when handling sensitive data.

3
0
FAIL

FAIL

Nothing annoys me more than the US military whining that they got owned in some stupid embarrassing way by some kid in his bedroom and then making up huge sums of money and acting like they're in a shooting war with the Russians. I guess it's an easier way to get budget than to you know ASK for some security in the first place.

5
0
Gold badge
WTF?

"Nothing annoys me more..US military whining that they got owned..stupid embarrassing way"

I think the thing people find very odd about the DoD is this.

Despite being in the habit of invading foreign countries (they seem to have started getting over Viet Nam when they invaded Grenada and have been putting in regular practice ever since) and having one of the words biggest and most technologically advanced armies on the planet they don't seem to absorbed one simple lesson.

Quite a lot of people don't like them.

That, plus the fact they have various assorted kinds of information that could be financially or militarily beneficial for unauthorized outsiders to know, means that they are (to coin a phrase)

"A big f**king target."

Despite this they seem to behave with an attitude to IT security that would embarrass, say McDonalds.

It's 2017 and it seems parts of the DoD still think this is the 1970's.

0
0
Silver badge
Facepalm

Not much sign of intelligence there

"Sean Caffrey .. broke in and pinched the ranks, usernames and email addresses of more than 800 users .. Exactly how he did it isn't known:"

Are they still using the same passwordless Windows image on all the machines?

"Intelligence showed the hack originated from his home internet connection"

Not much sign of intelligence there :)

1
0
Silver badge
WTF?

"No one should think that cyber crime is victimless"

Actually, this is the perfect example of a victimless crime - he got access and copied some data. Then did nothing with it. There is no victim here, just a system that requires securing.

A real world analogy would be a workplace that already had a broken lock, someone went in, took a picture, then left and did nothing with the picture. To then claim the person with the picture created damages equal to the price of a new lock is laughable.

11
0

Re: "No one should think that cyber crime is victimless"

That's a good analogy. In fact it makes the point perfectly.

3
0
Bronze badge
Big Brother

But he COULD be a Communist.

1
0

That's

That's an *interesting* charge.

I'm imagining three officers with handcuffs standing by a dialysis machine reading their arrest warrant:

"You're charged with causing a security breach with code written forty years ago... You'll have to come with us, sir."

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017