Still, 7 grand is a lot of money for a kid.
One of the crew who hacked TalkTalk has been ordered to hand over £400,000 after seizing control of a high-profile Instagram account following a hack on Aussie telco Telstra. Elliott Gunton, 19, pleaded guilty to breaching a Sexual Harm Prevention Order (SHPO), Computer Misuse Act crimes and money laundering at Norwich Crown …
You usually have to surrender any illegal item, or the profits from your illegal operations, whatever form they have.
Actually, you have to surrender any purportedly illegal item or gains. While I get the reason for this, it opens the door to abuse as having one's bank accounts frozen makes it difficult to mount a legal defense which makes it much more likely you will be found guilty thus making it a lot easier for the state to hold on to the seized assets.
It is a bit odd, as I remember it, it doesnt do a particularly secure wipe, Spybot S&D on the other hand, used to have a VERY secure wipe option (not sure about the current version - which is a bit useless).
One of the first things asked when I was arrested after a faked up kiddi-rape accusation, was if I had a shredder program.
"Yes, part of Spybot, but I dont recall ever using it" was my reply.
Released after 3 hours of questioning, by which time they had finally realised I was in hospital 12-14 miles away at the time of the alleged rape.
Cleared entirely after 3 days, albeit after a LOT of prevaricating (trying out different dates I might have committed the rape).
Had the wrecked remains of my PCs and laptop returned 12 months later - along with my car keys - £1,000+ of missing or broken stuff.
The apology and/or action against the malicious complainant - 12 years and counting.
It's an indicator that Gunton was trying to cover his tracks, when he knew that the police might enter his premises at any time to investigate his browsing history. I can think of any number of things he could have done more cleverly, but I suppose we should be grateful that there's a significant population of stupid, careless criminals.
Were those actual dodgy images, or given he was a 16 yo at the time of that conviction, were they just images of his gf / bf / whatever term used.
Given that there's the legal screwup in UK that 2 16 yos can have sex legally, but if they have sexual mages of themselves at that age (under 18) then its illegal child pr0n.
Given there's sometimes the mentality of creating as many charges as possible against someone I did cynically wonder (if it was just them and a partner imagery then its a bit evil as CP conviction is likely to make any time in jail rather unpleasant & protests about conviction not being what it appears don't necessarily get a considered hearing in E wing)
Give. These. Kids. Jobs. Pay. Them. Handsomely.
Fuck hiring so called, qualified "Cybersecurity Experts".
A Cybersecurity qualification is like a Comedy Award.
Accepting a comedy award means you take comedy too seriously and it's not comedy anymore. The same concept applies to security. If you spend too much time studying the rules and regulations you forget how to protect against those that don't follow the rules and regulations.
Knowing ISO 27002 backwards doesn't stop some teenager pwning your shit.
You just can't hire a Cybersecurity expert based on a formal qualification. You need someone that goes beyond.
You need a raving lunatic in a corner of the office, foaming at the mouth, constantly attacking and telling you where the flaws are. You then need a second techie (the straight man) to implement the protection.
I know for some sysadmins this is a frightening concept because it makes everyday a threat to you, but come on...these large organisations have done the best they can to protect themselves and have failed. It's mostly because the endless meetings and standards documents are based on prior attacks. Nobody is spending time considering what the next attack will be because they don't know where their weaknesses lie.
Strangely I see some valid points, the red mist however does it no justice.
Yes, they have skills and yes, gameful employment is a good path.
Yes ISO 27001 is only as good as the implementor(s).
However in any post, you need to take your audience with you...a rant rarely helps your case :)
This is a racist stereotype - I met a lot of very skilled pen testers that are quite far from your description. And anyway when you let someone attack your systems, you want someone responsible - not one that behind your backs sells what it finds on the black market.
And who will indemnify the company against anything done by the loose cannon while on the clock which might be -- shall we say...? -- slightly outside the bounds of propriety? Because people who think the rules don't apply to them when they are on their own aren't likely to be any more circumspect after being told "We hired you to think outside the box and go beyond expectations!"
There's a REASON that companies don't like to hire loose cannon types; it's called "limiting liability".
Skills aren't all thats needed. You also need to be of a certain moral calibre. Imagine hiring this 1337 teen hacker for your cyber security only for him to rinse your company for all its fucking worth.
Some teens do get into trouble for innocuous curiosity that goes too far; however this clearly wasn't the case. He wasn't just testing the limits; he was actively targeting them and profiting off of them.
It would be like hiring a raging alcoholic as your wines and spirits buyer and expecting everything to go okay.
"Reads to me as Talk-Talk and Telstra are a steaming piles of insecurity."
Oh, indeed - and an astute judge could make hay by dint of simply pointing out that the only reason they're not facing massive charges and fines themselves is because noone's thought to prosecute them yet.
If a social-engineering skript kiddie can crash into someone's IG account by sweet talking telco employees, then the privacy bodies in all countries affected should be going in boot-and-all for maximum fines.
Yes he's a criminal scumbag, but they still broke a bunch of laws (and GDPR liabilities apply for TalkTalk) by handing over the data. Right now they can blame the 'evil hacker' instead of being made to sweat a few million, have some explaining to do to the shareholders and fix their broken processes so it doesn't happen again (What was the Talktalk record? 3 almost identical bull-in-a-china-shop hacks in as many months where they tried to play it down as "sophisticated and subtle" and "we've fixed our security" - fines should be tripled when that kind of bare faced lie is publicly shown up for what it is.)
I had to laugh, only in the uk is it aparently illegal to use ccleaner because cops are stupid and obviously incompetant at their job .
Wondering if putting your browser in perma private mode where it doesnt save any history is also banned for these orders.
I could understand if they said (like the USA), you cant use a computer at all, or forced the internet provider to record everything he does (at his expence). But relying on a criminal to behave and nannying him is just how stupid our police have come.
CCleaner is not illegal in the UK.
People under an SHPO must not erase their browsing histories under the terms of the order. If they breach those terms they will be back in court.
This is to allow any untrained police to carry out visits and checks without having to use IT forensic guys.
Of course there are a 1000 ways around this, but they have to work with the resources they have.
But feel free to have a good old scoff.
....only in the uk is it aparently (sic) illegal to use ccleaner...
I must have missed that part. I didn't read anything there that said it was illegal in this country. HE had a conviction and some court requirements. If I wanted to, I could happily buy and use it, safe in the misunderstanding that it would hide everything I had done
This reminds me of an experience I had with the police. I was witness to two operatives committing a broad daylight burglary on a bike shed in the car park of some flats. After calling plod on 999, I grabbed my Canon dSLR and Telephoto lens and started snapping away to capture their antics as evidence.
They were disturbed by a well meaning resident asking what they were up to (I'm sure it wasn't obvious - I regularly unlock my own bike lock with bolt croppers) and decided to scarper with what they had, but the cops were on silent approach and pulled up just as they tried to cycle away. They were cuffed and taken down the knick for
a good kicking before signing their ready completed confessions questioning.
Some PC showed up to take a statement from me about what happened. I noted the photos taken and he asked to take my memory card (a CF card with Canon format *.CR2 Raw files). I offered to convert to JPG and put on a CD but no, they had to have the memory card to reduce the chance that the pictures have been doctored. Thankfully I'd already downloaded them all to my computer so let him take it away in the hope of increasing the chance of them being banged up. He promptly lost the card on the way to his car which was returned to me by someone who found it and saw pictures of me on the card (note how easy some random person was able to read the files on it!). Card was duly returned to the cops.
The cops finest technology team at HQ repeatedly failed at every attempt to read the Canon CR2 files. They asked me and I gave them info on how to download viewers from the Canon website (I'm sure Canon UK would have helped had they contacted direct).
One of the crims decided to plead Not Guilty so it went to the local Magistrate's court and I was summonsed by the CPS as a witness. This was several months later and the cops still hadn't figured out how to read standard Canon CR2 files from a standard CF card, so the CPS lawyer was worried he'd struggle to present the case against him.
I'd thought ahead and printed out the whole lot in a big pack of A4. I handed him this and his face lit up with relief. 10 minutes later the Magistrate had discharged me without having to give evidence as the photos were enough evidence to send him to Crown court for a bigger sentence (11 months in the end as the fucker was already out on licence from his previous conviction for being a thieving bastard).
I did get my CF card back but I'm not sure if the cops ever figured out how to read the CR2 files. Good job no one waited for them to. In light of that I'm not surprised about anything in this story, or the comments, regarding browser history cleaning tools and questions about the competence of plod with respect to technology.
"I did get my CF card back but I'm not sure if the cops ever figured out how to read the CR2 files."
I'm pretty sure they don't know how to read fingerprints or DNA either, after an experience crashing into a car driven by someone who ran off - the license plates, tax disc and VIN plate on the car all turned out to be counterfeit (never existed at all - which might explain the scarpering), but somehow the Met managed to lose those in less than 48 hours - AND they didn't manage to get any DNA or fingerprints off the driver's airbag.
Meantime the guys attending the crash told me that London's facing a plague of about 10-15% cars being on faked (usually cloned) plates to avoid congestion and other charges - with that kind of response to being handed pretty much easy evidence to go track someone down (and a bunch of their CCTVs watching) you start understanding why people start believing most police are lazy jobsworths who can't hold down work anywhere else.
I suspect that if they keep their historic 5% "solution" rate on crimes, they'll find themselves being made redundant by the general public.
@Paulf - I’m glad the story had a satisfactory outcome in your case, but I’m afraid I’m rather cynical about the state of law enforcement in the UK these days, and was three-quarters expecting your story to end with some variant of “...and after releasing them for lack of evidence, the police decided to prosecute me for taking pictures of the ‘thieves’ without their consent.”
Icon because, well, I’m obviously a grumpy old git now.
From the previous article:
A normal condition of SHPOs is that they ban the offender from using private browsing mode, deleting browser history or doing anything else that prevents unskilled police employees on home visits from trawling through an offender's internet activities.
"Our unit does not have specialist software for home visits and we have to rely on the honesty of the offender," said DC Hollis, as reported by the Eastern Daily Press. "It would be impossible for us to know if he has deleted any history."
So it's something alike "show us we can trust you" - as they can, as happened, to decide to perform a deeper analysis if suspicious - without deploying a far more intrusive surveillance.
Anyway, luckily many criminals are stupid, as in this case. You know you're under surveillance and then act against yourself? At least a real hacker would have been able to write his own cleaning utility, instead of using one with a bad reputation.
Biting the hand that feeds IT © 1998–2020