Attacks/Breaches
6/21/2012
12:05 PM
50%
50%

Feds Bust Hacker For Selling Government Supercomputer Access

Pennsylvania man allegedly offered to sell login access to two Department of Energy supercomputers, as well as remote administration capabilities, for $50,000.

Mission Intelligence: NRO's Newest Spy Satellites
Mission Intelligence: NRO's Newest Spy Satellites
(click image for larger view and for slideshow)
The FBI last week announced the arrest of Andrew James Miller, 23, in Devon, Penn., on charges of hacking into numerous computers and selling stolen access credentials.

According to a grand jury indictment unsealed last week, Miller (a.k.a., Green, man, manual, libuuid, news, asfjp) was a member of a hacking group known as the Underground Intelligence Agency (UIA), and worked with another group member known as "Intel," who wasn't indicted.

According to the indictment, from 2008 to 2011 "Miller and others allegedly remotely hacked into computer networks belonging to RNK Telecommunications Inc., a Massachusetts company; Crispin Porter and Bogusky Inc., a Colorado advertising agency; the University of Massachusetts; the U.S. Department of Energy; and other institutions and companies."

"Miller and other members of the conspiracy remotely, surreptitiously, and without authorization, installed 'backdoors' onto computer servers and created 'magic passwords' that provided 'root' access to these compromised servers," according to the indictment. "Miller and other members of the conspiracy sold, or otherwise transferred, these 'magic passwords' and other stolen login credentials to others, including to an undercover agent from the Federal Bureau of Investigation."

[ Privacy Rights Clearinghouse has logged 266 breaches so far this year. Which are the worst? See 6 Biggest Breaches Of 2012. ]

Authorities said that in February 2011, Miller offered to sell the undercover FBI agent "root access to RNK's computer network" in exchange for two $500 payments, sent through Western Union, and addressed to "Andrew Miller" in Lancaster, Penn. After an agent transferred the first $500, "Miller provided the FBI [undercover agent] with the backdoor credentials and a list of hundreds of usernames and passwords that allowed root access to the RNK network." After transferring the other $500, authorities said that Miller then sold them access credentials for Crispin Porter and Bogusky, as well as the University of Massachusetts Amherst.

In April 16, 2011, meanwhile, the indictment said that Miller chatted with the undercover agent and said he'd accessed two nersc.gov supercomputers owned by the National Energy Research Scientific Computer Center (NERSC), which provides computer resources for the U.S. Department of Energy. In July 2011, authorities said that for $50,000, he offered to sell the undercover agent "login credentials to a series of computer networks that would enable remote access to the domain 'nersc.gov.'"

The charges filed against Miller include conspiracy, computer fraud, and access device fraud. If convicted of all charges, Miller faces up to 30 years in prison, as well as three years of supervised release, a $250,000 fine, and having to pay restitution.

Interestingly, the NERSC website notes that the type of data theft allegedly practiced by Miller is the center's top information security concern. "Credential theft represents the single greatest threat to security here at NERSC," according to the site. "We are addressing this problem by analyzing user command activity and looking for behavior that is recognizably hostile."

To help, the center said it uses a special version of Secure Shell (SSH) that makes it easier for the center to monitor session activity, as well as investigate breaches. "The data collected with this version of SSH is sent to one of our security systems where it is analyzed by an intrusion detection system called Bro," according to NERSC. "Using various signatures, some complex and some fairly simple, Bro is able to alert us when an account appears compromised. Furthermore, once a compromise is confirmed, the logs from this version of SSH will help us determine the extent of the compromise and what, precisely, the intruder did."

Geared specifically toward the federal government, its agencies, and third parties, FISMA is a set of requirements aimed at establishing a baseline level of computer and network security. In our FISMA Lifts All Compliance Boats report, we show that when you reach FISMA compliance, you'll likely be compliant with just about every security mandate out there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
PJS880
50%
50%
PJS880,
User Rank: Ninja
6/21/2012 | 6:14:10 PM
re: Feds Bust Hacker For Selling Government Supercomputer Access
30 years and $250,000 dollar fine, doesnG«÷t seem like that $1000 was such a good deal after all. WhatG«÷s more disturbing than Miller gaining access to these systems is that NERSC security measures did not catch him, it was the work of an undercover Fed. If you are going to hack systems for their credentials, you probably shouldnG«÷t ask to be paid via Western Union. Maybe PayPal would have been a better payment option, they have seller protection!

Paul Sprague
InformationWeek Contributor
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/23/2012 | 2:28:39 PM
re: Feds Bust Hacker For Selling Government Supercomputer Access
That's a good point Paul. It is telling that it took undercover work to get an arrest. It underscores the complexity of the security problem, because it is always going to be an arms race between security technologies and the attackers.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.