The bad guys might not be as smart as we fear they are.
- By Roberta Bragg
Where are the stories of stupid hackers and data thieves? We seem to be idolizing
them as smart, crafty and wise. No matter what we do, they seem to find a way
into our networks. If our technological controls are tight, they'll use social
engineering. If our people are suspicious, they'll find some new Internet Explorer
vulnerability. Forget criminal elements and genius bit-twiddlers: Sometimes it
feels like we have to be perfect just to keep the script kiddies at bay.
That's another way of asking: Do the black hats have all the smart folks, while
the white hats have all the dummies?
Nope. Stupidity reigns in the underworld as well. Last year, Edward Krastof,
a Home Depot employee in Concord, California, was arrested for stealing the
names, Social Security numbers, bank account numbers and addresses of thousands
of Wells Fargo customers.
Krastof confessed to stealing the computer and some artwork from the home of
a consultant working for Wells Fargo. When asked about the data on the computer,
Krastof denied knowing that the computer had sensitive data on it.
Although it's hard to not be skeptical of his claim, he might not be lying.
He might, instead, just be stupid. Consider that he was caught because he used
the computer to log on to the Internet using the AOL account belonging to the
consultant. AOL had been warned by the authorities to watch for logons to the
account, and the location was easily traced to Krastof's home. The laptop was
in the house, right next to the stolen artwork hanging on the wall. (Hint to
computer thieves: Don't access the Internet using an account belonging to the
computer's owner. But if you do, don't do it from your home.)
In another incident, Christopher Phillips, a student at the University of Texas
at Austin, was indicted earlier this month for attempting to breach computers
and access private data belonging to students and staff.
UT was considerate. They warned him to stop. He didn't. Phillips did it again
and was indicted on four counts of fraud for breaking into the school's computers
and stealing 37,000 names and Social Security numbers. (Geez, if you're lucky
enough to get off with a warning, or several, go attack someone else's computer
system. Who did you think they'd suspect when they detected the theft?)
And what about the man who stole the house-arrest GPS-tracking device? Yup,
police tracked and found him easily.
Then there's David Allen Smith and his extensive child pornography collection.
Apparently he took the computer on which he stored them in for repairs. Shop
personnel found the child pornography on the computer. Smith, if convicted,
could serve many years in prison.
Consider the case of the woman in Houston who attempted to steal the identity
of the county's district attorney. The woman, Sharon Durbin, allegedly wrote
21 fake checks totaling more than $9,000. One bright spot for her: The DA won't
be the one prosecuting her, since there's an obvious conflict of interest.
The point here is not to belittle those who aren't the brightest penny in the
roll, nor to lull you into believing you can relax your efforts at securing
your information systems. Rather, my message is that there is just as much stupidity
on the other side. Let's have a few good laughs at their expense every now and
then, instead of at our own.
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.