Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Crime Security

Paying Hacker Extortion 412

An anonymous reader writes "A friend works as CIO at a medium sized publicly traded company. The company was contacted by a hacking group and told to pay $100,000 to prevent their company from being hacked/attacked. They actually paid the extortion (told authorities after). The authorities said the company could be charged with supporting Terrorists. Seeing that most publicly known hacks are costing companies this size nearly a million dollars, Is this supporting terrorists or supporting stockholders?"
This discussion has been archived. No new comments can be posted.

Paying Hacker Extortion

Comments Filter:
  • by alphatel ( 1450715 ) * on Tuesday June 21, 2011 @03:39PM (#36519256)

    Is this supporting terrorists or supporting stockholders?

    1) Neither, it could be a 12 year old with hotmail sending threatening emails.
    2) Both, it is another corporate goon protecting his stock options.
    3) None, they were paid out in Botcoins.

    • Re:everyone loses (Score:5, Interesting)

      by AliasMarlowe ( 1042386 ) on Tuesday June 21, 2011 @03:46PM (#36519400) Journal
      For $100k they could have got an internal security person for a year, or possibly a decent external consultant. Either way, hacking in would be made a bit harder in the future (but not impossible). As it is, they've set themselves up as a future victim for the next round of extortion.
    • by Hylandr ( 813770 )

      Bah,

      We see this in Eve online all the time.

      - Dan.

  • And now (Score:4, Insightful)

    by The MAZZTer ( 911996 ) <megazzt&gmail,com> on Tuesday June 21, 2011 @03:40PM (#36519272) Homepage
    They'll just be hacked anyway.
    • Re:And now (Score:5, Insightful)

      by odin84gk ( 1162545 ) on Tuesday June 21, 2011 @03:43PM (#36519336)

      They will get asked for money on a yearly basis.

      • by rwa2 ( 4391 ) *

        I'm curious to see what that looks like in their bookkeeping accounts.

        Whenever Verizon overcharges me, I put it under "Expenses | Prostitution", since whining at their customer support feels like phone sex. Probably could be just as illegal as supporting terrorists!

        To this day, Verizon is the only company that I still pay bills to using paper checks... I refuse to enroll into any auto billing scheme that lets them dip into my accounts of their own free will.

        • My bank (Chase) talked me into using their "Pay Bills" feature, which is actually pretty good. Other companies aren't dipping into my account, and this is just as fast as paying through the companies websites, which is how I used to pay all my bills.
        • Re:And now (Score:5, Interesting)

          by digitig ( 1056110 ) on Tuesday June 21, 2011 @04:30PM (#36520034)
          A former colleague who had worked in some highly corrupt countries told me that the first time he filled in an expenses claim (for a visit to a country where he couldn't even get on the flight back without bribing the check-in clerk) he put down a claim for "Bribery and corruption". The accounts department bounced it and told him to put down "Payments as understood".
      • Re:And now (Score:4, Insightful)

        by jmorris42 ( 1458 ) * <jmorris@bea u . o rg> on Tuesday June 21, 2011 @03:56PM (#36519578)

        > They will get asked for money on a yearly basis.

        Which is why you never pay Danegeld. It never gets rid of the Dane.

        Trillions for defense, not a penny in tribute is the only long term strategy for dealing with aggression. And these threats are aggression and weakness in the face of aggression always invites fresh demands. We should be tracking down these 'hacking' groups with the same vigor we go after other organized crime and terrorism. If that means dropping a Hellfire missile down on a few houses in countries where the local authorities won't take this stuff serious I'm not going to lose sleep over it. Can we bomb the spammer/phishers too while we are at it?

        • Which is why you never pay Danegeld. It never gets rid of the Dane.

          My thought exactly. Not only that, there's nothing to stop this "hacker" from raising his demands until he bankrupts the company. Or, if he's clever and the company's stock is openly traded, invest the money they pay him in their stock until he owns it.
        • Comment removed based on user account deletion
        • by Dan667 ( 564390 )
          really? bombing? Oh, and the bomb you are talking about using probably costs more that $1 million even for regular ordnance after the military gets done handling it.
        • But let's say your spouse goes to Mexico for business and gets kidnapped. Do you pay? Remember, the kidnappers have to maintain their brand image. i.e. they probably will either kill or return your spouse, your choice. And if you pay, you can stay relatively safe by never crossing the border again.

          Clearly it would be better for potential victims as a whole if you don't pay. But clearly it would be better for you to pay.

        • Re:And now (Score:5, Funny)

          by flaming error ( 1041742 ) on Tuesday June 21, 2011 @05:14PM (#36520782) Journal

          > Trillions for defense, not a penny in tribute is the only
          > long term strategy for dealing with aggression.
          Sounds great, but there are always details.

          In the case of the US, we wanted to get rid of a Bear, so we spent billions raising bees. The Bear grudgingly backed off, so we started trying to drive the bees away, and they attacked us. So now we spend trillions on cruise missiles to get the bees, we strip-search each other for signs of honey, and we look over our shoulder for aggressive Pandas.

          Maybe there's another way.

        • Re:And now (Score:4, Informative)

          by laron ( 102608 ) on Tuesday June 21, 2011 @05:34PM (#36521052)

          I would modify that strategy if necessary. Example:
          In the dark ages, the German King Henry I did have a problem with Hungarians who were in the habit of to looting and pillaging southern Germany. He paid them tribute for a few years, while building castles and city walls and raising militias. When he felt he was ready, he unilaterally reduced the yearly tribute to one (1) dead dog.
          http://en.wikipedia.org/wiki/Riade [wikipedia.org]

      • Re: (Score:3, Insightful)

        by MaxBooger ( 1877454 )
        Oh... I didn't realize this was an article on norton/mccafee antivirus.
    • With $100,000 I'd be too busy spending it to bother hacking anything.
    • hackers are paid
      companies security hole is plugged

  • Short answer (Score:2, Insightful)

    by Volante3192 ( 953645 )

    Is this supporting terrorists or supporting stockholders?

    One in the same...

    • by ffejie ( 779512 )
      Are you saying that the terrorists are invested in the company they are trying to hack? Unlikely.

      Or, are you making the lazy assumption that shareholders are bad people and labeling them terrorists? I got news for you: do you have a 401K or a pension? You're likely a shareholder of something. That probably doesn't make you a bad person, and certainly not a terrorist.
  • by pudding7 ( 584715 ) on Tuesday June 21, 2011 @03:41PM (#36519306)
    PayPal? Besides airdropping suitcases full of cash into the ocean, how do corporations pay ransom these days?
  • Here's a thought (Score:5, Insightful)

    by Dunbal ( 464142 ) * on Tuesday June 21, 2011 @03:42PM (#36519316)
    How about hiring someone who actually has some idea about security. THAT is supporting stockholders.
    • How about hiring someone who actually has some idea about security. THAT is supporting stockholders.

      Short term, he might have a crapload of work to do to implement best practices, clear out infected machines, train users on password complexity all while being attacked and losing business due to unavailability. Shareholders would not appreciate that, nor would any sensible security consultant promise they can dig you out of an attack as it is occurring.

      It might be best to pay them for short term protection and using that breathing space to harden up so the next time they ask, you are prepared.

      • Insurance isn't something you buy the day before you need it. Either you have good practices, or you don't. If their practices were so weak that they would even consider this, then they deserve what they get, and the management needs replacing.

    • by interkin3tic ( 1469267 ) on Tuesday June 21, 2011 @03:55PM (#36519558)
      It does seem like $100k spent on security would have longer benefits than one payoff. For that matter, maybe a $100k insurance policy would be a better investment.
    • They bought something for that $100k, namely the hacker document his hack. I'm sure she even did a contentious job for a coked up Belorussian teenager who's english does not extend beyond text speak.

      Yeah, sure $100k sounds steep for simply documenting a handful of security bugs, but they were the bugs that might've bitten you for $1M. And surely you saved way more by building your site using cheap ass Visual Basic developers, right?

      Anyways, anyone who views hacking as terrorism is a moron, especially the

      • You are assuming that there are a finite number of exploitable ways of attacking the company. Otherwise, all you have done is provide proof that you are open to blackmail and it's only a matter of time before you are blackmailed again. Presumably the CIO is hoping to have slipped away to another company by then.
  • by Rivalz ( 1431453 ) on Tuesday June 21, 2011 @03:44PM (#36519356)

    It seem's like it is making everyone happy these days.
    News agencies are creaming their panties.
    Companies get to sweep shit under the rug while their competitors crash and burn. (I bet you Microsoft was heart broken to hear the PSN got hacked.)
    Hackers make some money and who knows might eventually get laid.
    The Government gets to restrict our freedom's and buy bigger shiny new toys and has even more reasons to keep printing money until it costs more to print it than its worth.

    I get the pleasure of changing my password every twenty minutes to something like LKJGDSKLeiojgtqpltjwe4jt]90iejaasdfHippofucknuggets

    Everyone WINS!

  • by Jaime2 ( 824950 ) on Tuesday June 21, 2011 @03:44PM (#36519366)
    Paying ransom is almost always a bad idea for the community as a whole. The authorities are simply trying to make the company do the right thing instead of the selfish thing. The biggest problem with security is that the incentives are rarely aligned with the responsibilities; this is a classic case of re-aligning those by pushing the societal cost back to the people who are in a position to make the decision.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      The authorities are simply trying to make the company do the right thing instead of the selfish thing.

      And threatening them with a crime is always a good way to encourage them to talk to the cops next time, because I'm sure the cops would have put that right at the top of their todo list before the money had traded hands.

      Right...

  • by copponex ( 13876 ) on Tuesday June 21, 2011 @03:45PM (#36519374) Homepage

    With the savings your friend could hire some real security experts to keep their systems online.

    As for the terrorism bit, it makes me wonder when we can sue members of Reagan Administration for arming the proto-Taliban, Saddam Hussein, and Iran. Clinton and Obama owe us a few bucks for Pakistan too, when they inevitably start arming terrorist in the near future. What's good for the goose is good for the gander, right?

  • Neither (Score:4, Insightful)

    by Rary ( 566291 ) on Tuesday June 21, 2011 @03:46PM (#36519398)

    Is this supporting terrorists or supporting stockholders?

    "Supporting terrorists" is a stupid description, and the idiot who said that needs a kick in the teeth. However, also stupid was paying these jackasses. Take every precaution you can, get the authorities involved as a backup, maybe even alert your shareholders to the threat, but do not pay extortionist script kiddies.

    • If they had had the authorities involved from the beginning they might have been able to arrange for the money to be traced.
  • by Anonymous Coward on Tuesday June 21, 2011 @03:47PM (#36519420)

    What's the name of your friend's company?

  • Dubious? (Score:5, Interesting)

    by rueger ( 210566 ) * on Tuesday June 21, 2011 @03:47PM (#36519422) Homepage
    Am I alone in finding this story incredibly sketchy? Either the company, the poster, and the police are stunning idiots, or it's just bullshit created to inflame a bunch of slashdotters.

    If some kind of attribution can't be found, I call BS.
    • "Anonymous reader" and "a friend". I think you're right. Mark you, someone I was talking to at the bar last night said his cousin's best mate's sister's uncle had the same thing happen to him.
    • They actually paid the extortion (told authorities after). The authorities said the company could be charged with supporting Terrorists.

      So "the authorities" can prove that the criminals are in fact terrorists, and that the money made it to them, right? But they can't catch them, is that also right?

      Yeah, it sounds a little fishy.

    • by hey! ( 33014 )

      That was my reaction too. Sounds like an urban legend.

      The thing that sounded most bogus to me was the $100,000 ransom. Unless it was in cash, it'd be traceable. If it *were* cash, taking that much cash out would trigger a money laundering investigation.

    • by bartwol ( 117819 )

      Very dubious. Slashdot often posts BS stories simply because doing so engages their readers. It is not a requirement of the editors that a story has integrity; only that a certain percentage of the stories have integrity. That's enough to keep people coming back with hope that their time isn't going to be wasted.

      This time, we're losers. And, yes, to me, it is mildly humiliating to be a participant in this.

      Slashdot. Not journalism. Infotainment. Hi BS quotient.

      (And that's why I read and respond less and l

  • by wolfsdaughter ( 1081205 ) on Tuesday June 21, 2011 @03:47PM (#36519424)

    Dane-geld
    (A.D. 980-1016)

    IT IS always a temptation to an armed and agile nation,
            To call upon a neighbour and to say:—
    “We invaded you last night—we are quite prepared to fight,
            Unless you pay us cash to go away.”

    And that is called asking for Dane-geld,
            And the people who ask it explain
    That you’ve only to pay ’em the Dane-geld
            And then you’ll get rid of the Dane!

    It is always a temptation to a rich and lazy nation,
            To puff and look important and to say:—
    “Though we know we should defeat you, we have not the time to meet you.
            We will therefore pay you cash to go away.”

    And that is called paying the Dane-geld;
            But we’ve proved it again and again,
    That if once you have paid him the Dane-geld
            You never get rid of the Dane.

    It is wrong to put temptation in the path of any nation,
            For fear they should succumb and go astray,
    So when you are requested to pay up or be molested,
            You will find it better policy to says:—

    “We never pay any one Dane-geld,
            No matter how trifling the cost,
    For the end of that game is oppression and shame,
            And the nation that plays it is lost!”

  • Plenty of good business decisions are illegal. For example, many international trading companies would be more profitable if they expanded into the lucrative cocaine transportation markets. That doesn't mean they can legally do so just because it increases dividends! If the hacking group in question here is a designated Foreign Terrorist Organization (yes, there is a list), then giving them money is a federal crime - regardless of the reason for the payment or how much business sense it makes.
    • by geekoid ( 135745 )

      No it's not. Willingly and knowingly giving them money is; something this would not qualify as sine they where coerced

    • Yes, and the sad fact is if this was all real, and they hadn't paid, and the hacker(s) did do what they claimed, the company could now have a whole mess of broken regulations and such depending on what type of information they were dealing in and what was taken (which may have cost more than $100,000 in fines, lost customers, damage control and repair costs, etc)...

      And I still think this story is bogus, or someone is such an incompetent fool and shouldn't be working for that company.

  • by InitZero ( 14837 ) on Tuesday June 21, 2011 @03:55PM (#36519564) Homepage

    So you say a mid-sized company paid a $100,000 extortion? That money with 'poof', right? Untraceable, right? Call me the suspicious sort but are we sure this is extortion and not embezzlement?

    Cheers,
    Matt

  • I think you will find it is illegal to pay extortion money to criminal groups in most parts of the world. Your friend's employer will also now be on a sucker's list of people they will try to get increasingly larger amounts of money out of, so no, this is not supporting the stockholders.

  • If I recall, anyone who brings any form of material compensation (goods or supplies) to an organization that is a terrorist organization or supports a terrorist organization is in turn guilty of supporting a terrorist organization. What the US Government is trying to do is make it illegal to directly or indirectly support any organization they deem 'terrorist', with the original intent of cutting down the 'money pushers' - the people who procure funding under false pretense and transfer it to entities host
  • If you pay a ransom it only encourages you to be hit again and again. At least if you bring in the authorities first then pay the ransom they money can be tracked though all the banks if they say it's a good idea, but they'll probably say the same thing that it's a bad idea. Chikita banana has been in similar hot water with paying the local warlords their protection money.
    • by geekoid ( 135745 )

      OTOH, you could not may and have your business grind to a halt, people could die. It's always about risk.

      As much as the media likes to use it as a plot device, it's not simply don't pay and it won't happen.
      And the exchange of money isn't the end game.

    • by mark-t ( 151149 )

      So... if some guy that is clearly bigger and stronger than you are holds up a knife to you and says "gimme your wallet", do you still say no?

      Just sayin'... if something's important enough to you, you will pay whatever you can afford to keep it safe.

  • Otherwise a bank teller that gives money to a robber that's pointing a gun at them is supporting terrorism.

    • by geekoid ( 135745 )

      No. one is a threat of immediate death, the other is having IT shut down outside access.

      Both have their costs, but they are not the same.

  • "The authorities said the company could be charged with supporting Terrorists."
    Not likely, and it would ever fly in court unless it could be moved it was intentional set up to launder money.

    It's authorities being pissy they weren't called first.

  • by drolli ( 522659 ) on Tuesday June 21, 2011 @04:26PM (#36519992) Journal

    a) i wonder which idio put his/her signature under such a transfer. I presume there was no life in danger, which is the only reason one could think about supporting criminals. Fuck these guys (the crackers and the company). For 100000 dollar i can invest enough time to hack (presumably by social engineering and really simple attacks) into at least 10 companies; and i am not a professional, neither white-hat, nor black-hat.

    b) From the formal viewpoint, this looks like corruption. You pay people without any proof that they did something for you for a lot of money. Who keeps some employee from sharing his secrets and getting something back from some friends? Would be too easy!

    c) If they have been hacked already and just pay the blackmail money not to see their customer details in the newspaper, then it would be better to be completely honest about it.

    d) I dont think it should be considered to be "supporting terrorists", but it could be funding well organized crime.

  • Is this supporting terrorists or supporting stockholders? They're the same in my opinion. No regard for people, only there for a "higher" cause which originates from some ideology.
  • The cops, who are supposed to protect the victims here, decide to threaten them instead. Who's the terrorist now?

  • To pay not only encourages them to do it again, but helps finance their next criminal activity.

    You have no guarantee other than the word of a criminal and extortionist that they won't do it anyhow, or jack you for more cash next month.

    Terrorism?!?! Not unless your system runs life support systems or something. It's amazing what some bozos call terrorism... No, I take that back, they tend to call everything they don't like terrorism, even unpopular ice cream flavors.

    Protecting the stockholders. Only in the
  • Why do you think that supporting stockholders isn't also supporting terrorists? I mean, why not pay em $200,000 for them to take down a rival? It's a free market, man.

What hath Bob wrought?

Working...