Hungarian hacker Attila Nemeth gets 2 1/2 years in jail for his crimes
Feb. 6, 2012
A job-hunting hacker in Hungary who tried to get a job with the Marriott Hotel by hacking into the chain's network before offering to sort out the resulting mess has been found guilty of hacking and attempted extortion, and will have to spend the next 2 1/2 years in a U.S. federal prison.
Aged 26, Attila Nemeth did admit to sending Trojan-infected emails to workers at the hotel late in 2010, allowing him to access back end servers from PCs he managed to infect.
Nemeth then extracted sensitive data which he threatened to reveal unless the hotel chain offered him a job maintaining Marriott's computer systems.
Marriott responded to the event by reporting Nemeth to U.S. authorities, which ran a sting operation. Nemeth entered into an email and phone conversion with a U.S. federal agent posing as a hotel manager before he was persuaded to travel to the United States, ostensibly to attend an all-expenses-paid job interview.
Under the disguise of a Marriott job interview, Nemeth was coaxed into explaining how he hacked into the company's computer systems. He was subsequently arrested and charged with computer crime and extortion.
Nemeth then pleaded guilty to both crimes last November prior to a sentencing hearing last week, where he was sentenced to 2 1/2 years behind bars.
Marriott Hotels estimates that Nemeth's hacking attempts resulted in expenses of between $400,000 and $1 million in consultant expenses and other costs associated with determining how much damage the hacker might have caused.
In other internet security news
Cim Stordal, a fifteen years old teenager has discovered some critical security flaws in Google, Facebook, Microsoft and Apple programming code.
When he's not in school, Cim spends part of his time playing the Team Fortress video game, shooting his Airsoft pellet gun, and working in a fish store in Bergen, Norway.
But his real passion in his young life is hunting for, and then discovering security flaws in software used by millions of people today, both on and off the internet.
And Cim has made the Google Security Hall of Fame. He's also been credited with disclosing a cross-site scripting issue to Apple, he's then been thanked by Microsoft officials for disclosing a security vulnerability to the company, and Cim also received an elite 'White Hat' Visa card from Facebook with $500 credit on it.
"I got a card for a self-persistent XSS (cross-site scripting issue) at Facebook, and a nonpersistent XSS at Google, Microsoft, and Apple," he said.
As a self-persistent issue, Facebook's security hole that Stordal disclosed wasn't exploitable by a third-party because it required a user to take an action to be at risk.
"I just look around at the site and find out where I can input HTML code and it's not filtered in the source code. Often they filter some characters but forget some or they totally forget that input," he said.
"What an attacker often wants is just the cookie, which can be used to log-in as the user," he said. Stordal added that of all the sites he poked around in, surprisingly, Apple was the easiest to find a security flaw in. "I found the Facebook security issue after four days and the Google one after three, but Apple took me only five minutes" to find two XSS flaws, he said. Apple representatives did not respond to a request seeking comment.
And the companies involved appreciate his efforts, particularly because he tells them before going public with any of the details. "Everyone was happy about it and they fixed the issues kind of fast," he said.
Stordal started looking for security vulnerabilities in software when he was just 14 years old last year. "I have always loved being on the PC and I already was programming some C++," he said. "So I wanted to do something new and constructive, so I searched around and learned Basic programming."
Cim's friends are impressed with his skills and ask him to help keep their Web sites secure. His parents aren't really sure what to make of his research.
"They think it's kind of cool, I guess, as they don't understand what I do," he said. "But they also don't want me to stay on the computer all day."
His next move is looking for security vulnerabilities on mobile devices. He's trying to set up a fuzzer (automated software testing tool) on his iPhone 3 GS.
In other internet security news
The hacking group Anonymous has successfully hacked into some U.S. federal websites. Most of the sites shut down by the hackers were up and running early this morning, including the Department of Justice, the FBI and some entertainment sites.
This is referred to as one of the U.S. federal government's largest anti-piracy crackdowns. The group Hacktivist Collective Anonymous admitted that it was responsible for taking down the sites yesterday.
Hours after the announcement of the arrests, some of Megaupload's site visitors turned the table on the feds, knocking the U.S. Department of Justice and the FBI websites offline.
Both sites appeared to be back up this morning, however. A law enforcement official said that the FBI was investigating. Anonymous said ten websites in all were targeted and early Friday the sites for music publishing and licensing group, BMI and record company Universal Music were still down, however.
When the sites were visited, they said "This site is under maintenance. Please expect it to be back shortly." The hacker group announced its attentions on Thursday.
"We, Anonymous, are launching our largest attack ever on government and music industry sites. Lulz," the group said in a statement posted late Thursday on an associated Twitter account. "The FBI didn't think they would get away with this did they? They should have expected us."
The hacking group also posted personal information on former Connecticut Senetor Chris Dodd, chairman of the Motion Picture Association of America, one of the targeted sites.
A Justice Department spokesperson, who did not want to be identified, said its Web server was "experiencing a significant increase in activity, resulting in a degradation in service."
"The department is working to ensure the site is available while we investigate the origins of this activity, which is being treated as a malicious act until we can fully identify the root cause of this disruption," the spokesperson said.
The website errors came soon after various Twitter accounts associated with the collective took aim at the U.S. government. Anonymous' favorite weapon for these attacks is what's called a "distributed denial of service" (DDoS) attack, which directs a flood of traffic to a website and temporarily crashes it by overwhelming its servers.
It doesn't actually involve any hacking or security breaches. "One thing is certain: EXPECT US! Megaupload" read one tweet from AnonOps that went out midafternoon. One hour later, the same account tweeted a victory message "Tango down! universalmusic.com & justice.gov are... Megaupload"
Speaking of the Web attacks, an Anonymous representative said 5,635 people used a networking tool called a "low orbit ion cannon." A LOIC is a software tool that aims a massive flood of traffic at a targeted site.
The news come as lawmakers have turned their attention to anti-piracy legislation. Protests erupted both online and offline this week against two newly proposed bills under consideration in Congress-- the House's Stop Online Piracy Act (SOPA) and the Senate's Protect IP Act (PIPA).
The new bills are aimed at cracking down on copyright infringement by restricting access to sites that host or facilitate the trading of pirated content. But the legislation has created a divide between tech giants, who say the language is too broad, and large media companies, who say they are losing millions of dollars each year to rampant online piracy.
On Twitter, YourAnonNews said that yesterday's attacks meant an involuntary blackout for sites of SOPA supporters. Universal Music's website went down Thursday afternoon. The music company had been locked in a legal battle with Megaupload over a YouTube video that featured many of Universal Music's signed artists promoting Megaupload's site.
The websites of the Recording Industry Association of America and Motion Picture Association of America were out of action Thursday afternoon, but they appeared to be back up later in the evening.
"The fact that a couple of sites might have been taken down is really subordinate to the significant news today that the Justice Department brought down one of the world's most notorious file-sharing hubs," he said.
The Anonymous attack came soon after the Justice Department announced the indictment of seven individuals connected to Megaupload for allegedly operating an "international organized criminal enterprise responsible for massive global online piracy of copyrighted material."
Source: Cim Stordal.
You can link to the Internet Security web site as much as you like.