Security Watch

Equal-Opportunity Stupidity

The bad guys might not be as smart as we fear they are.

• By Roberta Bragg
• 11/29/2004

Where are the stories of stupid hackers and data thieves? We seem to be idolizing them as smart, crafty and wise. No matter what we do, they seem to find a way into our networks. If our technological controls are tight, they'll use social engineering. If our people are suspicious, they'll find some new Internet Explorer vulnerability. Forget criminal elements and genius bit-twiddlers: Sometimes it feels like we have to be perfect just to keep the script kiddies at bay.

That's another way of asking: Do the black hats have all the smart folks, while the white hats have all the dummies?

Nope. Stupidity reigns in the underworld as well. Last year, Edward Krastof, a Home Depot employee in Concord, California, was arrested for stealing the names, Social Security numbers, bank account numbers and addresses of thousands of Wells Fargo customers.

Krastof confessed to stealing the computer and some artwork from the home of a consultant working for Wells Fargo. When asked about the data on the computer, Krastof denied knowing that the computer had sensitive data on it.

Although it's hard to not be skeptical of his claim, he might not be lying. He might, instead, just be stupid. Consider that he was caught because he used the computer to log on to the Internet using the AOL account belonging to the consultant. AOL had been warned by the authorities to watch for logons to the account, and the location was easily traced to Krastof's home. The laptop was in the house, right next to the stolen artwork hanging on the wall. (Hint to computer thieves: Don't access the Internet using an account belonging to the computer's owner. But if you do, don't do it from your home.)

In another incident, Christopher Phillips, a student at the University of Texas at Austin, was indicted earlier this month for attempting to breach computers and access private data belonging to students and staff.

UT was considerate. They warned him to stop. He didn't. Phillips did it again and was indicted on four counts of fraud for breaking into the school's computers and stealing 37,000 names and Social Security numbers. (Geez, if you're lucky enough to get off with a warning, or several, go attack someone else's computer system. Who did you think they'd suspect when they detected the theft?)

And what about the man who stole the house-arrest GPS-tracking device? Yup, police tracked and found him easily.

Then there's David Allen Smith and his extensive child pornography collection. Apparently he took the computer on which he stored them in for repairs. Shop personnel found the child pornography on the computer. Smith, if convicted, could serve many years in prison.

Consider the case of the woman in Houston who attempted to steal the identity of the county's district attorney. The woman, Sharon Durbin, allegedly wrote 21 fake checks totaling more than $9,000. One bright spot for her: The DA won't be the one prosecuting her, since there's an obvious conflict of interest.

The point here is not to belittle those who aren't the brightest penny in the roll, nor to lull you into believing you can relax your efforts at securing your information systems. Rather, my message is that there is just as much stupidity on the other side. Let's have a few good laughs at their expense every now and then, instead of at our own.