If the IB had a “Darwin Award”, or 7 stories about stupidity, trash, gullibility and their consequences

There are people in our team whose task it is to monitor information security news. On the day they plow a bunch of materials in Russian, English, Spanish and a couple of three languages. The digest scatters into departments: who can see if there are any familiar companies among the victims, whom – as an illustration for an article, an example for training or a webinar. But for some stories we have a special daddy. “Ingenious” fraudulent schemes or surprisingly naive punctures – by April 1, we decided to scrape around the guts and selected several stories whose defendants deserve the prize of the IB version of the Darwin Prize.

image

1. Nomination “Hospitality”

image

In 2014, a lovely elderly woman came to a prison in South Dakota, USA, who introduced herself as a medical inspector. She told the staff that she had to check the conditions of the prisoners and the observance of sanitary and hygienic standards in the office premises.

The woman was greeted cordially and was taken to all the offices where she demanded access. The guards were not even embarrassed by the request to let her go to the center for managing IT systems and the server room – supposedly to see if there was mold there. At the same time, she was allowed to take a phone with her and take a photo, and in addition often left alone.

As a result, Rita Strand (the so-called “inspector”) freely collected information about the entire infrastructure of the prison: access points, PCs, physical security measures. And she hacked into all the computers that got in the way by connecting USB Rubber Ducky to them to intercept data. She even managed to get to the PC of the head of the prison, who himself (!) Invited the woman to his office. Rita took 45 minutes to do everything.

The funny thing is that Rita Strand had absolutely no hacker skills. She worked all her life in catering and never participated in “spy” affairs. And to break into the security system of the prison, instead of her son, information security expert John Strand, who was supposed to arrange a pentest, volunteered. It was he who supplied her with “USB ducks” and all the instructions, but he did not expect that penetration would be so simple. History he shared at a specialized conference six years later, without revealing the name and location of the prison. Presumably, the jailers are still embarrassed.

2. Nomination “Tinder of the brain”

The heroes of this story were several dozen soldiers of the Israeli army. All of them made pleasant acquaintances on the net, and then found that they were merging state secrets.

The incident went public this February. It was reported that since the end of 2019, girls began to actively write to soldiers on social networks and dating sites. On the move, they were ready to share piquant photos, however, only in a special protected application (or else they’ll leak into the network!). He was offered to download from the link.

Those who succumbed to persuasion found that their smartphones were starting to behave strangely. Data transfer was activated, outgoing traffic grew, the camera and the recorder turned on by themselves. It soon became clear that the “secret chat” with photos was a malware for remote control of the phone, and the “girls” were Hamas hackers. For several months, they had access to information about the location of affected devices, photos and phone contacts.

Israeli army representatives claimthat revealed the scheme almost immediately, but did not respond to observe the situation. And supposedly no valuable data flowed to the Palestinian militants, because all the military had been warned in advance of the danger.

3. Nomination “Rake Dance”

image

Here could be any of probably hundreds of stories about the non-password-free Elastic. Or MongoDB. Or any other database in which users do not set passwords and, in fact, leave information in the public domain. This is indeed one of the most common leakage channels – in 2018, 540 million Facebook accounts went so far (then the social network trusted Mexican analysts from Cultura Colectiva, and the contractor did not protect the server). In 2016, information leaked about 80% of Americans with voting rights (this is private data of 198 million people).

But this year the victory in the nomination goes to the Whisper application. It was positioned as “the most reliable place on the Internet”, where users could anonymously share their secret secrets. And then the developers accidentally revealed data of 30 million people. It turned out that Whisper has been storing an archive for all users since 2012.

From a non-password-protected database, the content of “secret” posts leaked to the network. And these are stories about fears, secret desires, confessions of immoral and criminal acts, intimate secrets. But the main thing is that information about user credentials (nicknames, email and phone numbers associated with them), their age, nationality and location at the last authorization turned out to be in the public domain. Sometimes geodata was enough to establish a specific residential area and workplace. About 1.3 million compromised accounts belonged to adolescents under 15 years of age.

4. Nomination “I do not see, then it wasn’t”

image

At the beginning of this year, the Kazakhstan Information Security Company “Center for Analysis and Investigation of Cyber ​​Attacks” reported to the media that it discovered a major leak of data from the information system of the Prosecutor General of the Republic of Kazakhstan. Persons of all citizens of Kazakhstan and foreigners, in relation to whom administrative affairs had ever been initiated in the republic, were in free access to the network. All their fines, warnings, residential addresses, photographs of violators, license plate numbers and data of their cars. Moreover, access to the information system of the prosecutor’s office turned out to be open from the Internet, any user could edit, delete cases, start new ones. Since the information system is integrated with all the services of the e-government of the country, the internal data of any government agencies may be compromised.

Researchers noted that they contacted the agency several times, but did not achieve a reaction. Even after public disclosure of vulnerability information, Kazakhstan’s prosecutor’s office stands his ground: nothing like this, “data is not available on the Internet in the clear.” Amazing stubbornness.

5. Nomination “For Information Exhibitionism”

image

A bank clerk from North Carolina, USA, stole more than $ 88,000 from customer accounts. A man withdrew funds from deposits and forged documents to cover his tracks. He managed to crank the scheme at least 18 times, during which time he improved his position well and began to live in a big way. And all would be fine if I hadn’t decided to boast of success on Facebook and Instagram.

On the American page, photos began to appear regularly with packs of cash, expensive alcohol, jewelry, and cars. Photos were popular – in the end, the police became interested in them.

By April 2019, it came to court, the American faces up to 30 years in prison and a fine of $ 1 million. And the materials from social networks were attached to the case. For example, a post where a man poses against the backdrop of a brand new Mercedes-Benz – a photograph and a check for $ 20,000, which he made as a prepayment for the car, became one of the evidence the charges.
image

A similar story happened in Colombia with the head of the internal shipping control service. Omar Ambuel received an official salary of $ 3,000 per month. At the same time, his daughter, who lived in Miami and kept a modest ice cream shop, led a truly luxurious lifestyle. On her Instagram regularly appeared photos with purchases from expensive brands, driving new Lamborghini and Porsche, on vacation from luxury resorts.

image

The trouble overtook when police appeared among the subscribers of the secular diva. Through the girl, they went to her father and asked him a reasonable question: is such a Dolce Vita affordable for the family of an ordinary civil servant? The authorities believe that the official created a criminal network in the Colombian port and received multimillion-dollar bribes for smuggling. In April 2019, Ambuel, his wife and daughter arrested – Just at an expensive resort. What’s called, thanks to the pictures for the tip.

6. Nomination “Pizza as a weapon of fate”

Not only savvy thieves are pierced on trifles, but also the real grandees of cybercrime.

The creator of one of the oldest Quantum Stresser DDoS services, David Bukoski, has been successfully hiding from the authorities since 2012. Only in 2018, his brainchild allowed “putting” about 50 thousand information systems around the world, in total, the service accounted for more than 80 thousand completed orders for cyber attacks. Although in 2018 during the international special operation the quantumstress website[.]net was eliminated, law enforcement officers were still looking for access to the owner and tried to establish his identity.

The mouse and cat dragged on, and David relaxed. In early 2020, he decided to order pizza home and left a contact email on the delivery site … to which he had once registered his domain.

Previously, the address appeared on the “black lists” of several services that David used to advertise Quantum Stresser’s and receive payments from customers. When the companies stopped the services, he sent them official letters asking them to explain the refusal. So the police were able to find out the real name of the hacker. And the delivery order revealed his home address. The bottom line is pizza with bacon and chicken cost Bukoski in 5 years of imprisonment conditionally.

By the way, in 2012, another cybergeny gave out the same order – Yuri Kovalenko, one of the authors of the famous Zeus. In London, he headed the cell of the “operators” of the botnet and worked quietly, despite the FBI “on the tail”, until left An online application for delivering lunch directly to your headquarters. So pizza is still a weapon of fate.

7. Nomination “I am spinning as I can”

image

There are people who firmly believe: if you beat a person, and then offer him to hire you as a bodyguard, he will gladly agree. It sounds crazy in the scenery of the real world. However, in the virtual world there are still such characters.

For example, recently, employees of the “K” department of the Ministry of Internal Affairs of Russia in the Vologda Oblast delayed unsuccessful “pentester”. As the investigation established, the man carried out a DDoS attack on the online store of the largest Cherepovets enterprise. The detainee admitted that he specifically loaded the site – he tested it for stability, so that later he could offer the owners his services for protecting against DDoS attacks.

There are plenty of stories to laugh at. You can recall a recent incident from Germany, where on eBay sold laptop with top-secret instructions for the destruction of the state missile defense system. You can recall how the officers of the electronic intelligence units of the Israel Defense Forces hacked server of the army personnel department for additional and extraordinary vacations, including paid accommodation in hotels. But one may be generally surprised that over the past 4 years the UK defense ministry lost almost 800 notebooks with military secrets.

Kick us in the comments if we missed something. Are there more worthy nominees?

Similar Posts

Leave a Reply