When Security Exploits Have Exploits
from the piling-on dept
We’ve talked in the past about how security software sometimes needs security software itself — but what about security exploits? A popular scam these days among some script kiddies is to lock up important data on someone’s computer unless they pay an extortion fee to release the data. Of course, it should come as no surprise that these exploits have exploits of their own… as one security firm discovered this week, releasing the universal password that will unlock your data should you happen to get caught by one of these scams. Apparently, all you need to know is: mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw. Of course, it’s not surprising to find out the a script kiddie scam has exploits, but it does suggest a different kind of race for some security companies. Instead of just focusing on patches, look for ways to break the scam software itself.
Comments on “When Security Exploits Have Exploits”
I thought it was illegal and against the DCMA to reverse engineer software?
The script kiddies could sue the security firm for this!
Re: Re:
That is stupid and american. Suing because someone stopped your illegal activity.
With that in mind, it will probably happen. Because we’re full of sue-happy idiots here in America.
Re: Re: Re:
“That is stupid and american. Suing because someone stopped your illegal activity.”
While someone could file a lawsuit for this (and thus, you could say someone was sued for stopping their illegal activity), the case would undoubtedly be dismissed the second the presiding judged stopped laughing himself out of his seat.
DMCA
I wonder if the “ransomware” writers can sue under the DMCA’s anti-circumvention provisions (well, if it was in the States).
Re: DMCA
“I wonder if the “ransomware” writers can sue under the DMCA’s anti-circumvention provisions (well, if it was in the States).”
No. According to the dirty hands doctrine, certain aspects of the criminal and civil laws do not apply to persons engaged in criminal activities.
As an example, even if you sign a contract with a prostitute that says you pay her in advance for 12 ‘sessions’ and she refuses to provide any services, you cannot sue her for breach of contract or for fraud. (Assuming this happens in the 99% of the USA that prohibits prostitution.)
While I haven’t heard of a DMCA case being dismissed or lost because of the dirty hands docrtine so far, I can pretty much guarantee that someone who commits several federal felonies will run afoul of it.
Lovin It
I’m loving this offensive mentality that is popping up on the net. We’re not just dodging spam anymore, we’re fighting back. We’re not trying to prevent exploits, we’re exploiting the exploits. Fighting fire with fire. I love it.
This would kinda be like saying “I was robbing a bank, and the security guard hit me on my way out, I’d like to sue him.”
Re: Re:
apparently if a burglar trips over your couch and breaks his ankle, he can sue you for damages in the U.S.
who knows what would happen if they found your collection of bear traps, all armed and ready..;)
Re: Re:
Actually, it’d be more like suing your neighbor for tapping your phone line and overhearing you plan a bank heist, then using that information to stop you from robbing the bank by, for instance, giving the bank your description and the exact time you’ll be showing up.
The neighbor’s act was illegal, but for the greater good. It’s an argument of justice versus ethics.
A security guard hitting a bank robber is well within his legal rights, and it’s *mostly* ethical (it’s his job and what general society expects him to do). To me, reverse engineering software (even malware) is not within anyone’s legal rights, even though it may be considered ethical.
In my opinion, justice should always win.
Ransomware...
A quote from my own post on the issue earlier today:
“Maybe it’s a good thing, but in the long run, I don’t see how “ransomware” could really make it in the long run. If people are going to find work arounds to software from companies like Microsoft and Adobe with billions of dollars invested in anti-pirating efforts, I doubt even the best “ransomware” virus would last before someone cracked it.”
http://gen.newrandom.com
I know a guy in PA that shot a burglar in his home. The burglar fell down the stairs after he was shot and broke his leg. He sued the guy for medical costs, pain and suffering and emotional distress and the burglar won.
Messed up legal system? YES
The right to sue – Priceless
who wants to guess how long it is before Techdirt is reporting the story of the ransomware creators suing under the DCMA?
I say 120 days…
suing burglers
Real case:
A man was on the roof of a school in California (25+ yrs ago), in the progress of committing burglery. The roof’s access ladders were protected by “Authorized personnel only” signs. He tripped over, and fell through, a skylight in the dark, landing in the building below – breaking his back. He sued, saying that the school district should have placed warning signs to alert persons on the roof to the presence of the skylight. Not only did he win, but his case went all the way to the Supreme Court, AND WAS UPHELD!!
Re: suing burglers
O Rly?!
Care to cite the case number (either California Supreme Court or SCOTUS)? No? Can’t find it? That’s because it didn’t happen.
Now for some crazy cases that are really happening: http://www.overlawyered.com
Judges
I’d put more trust in the long arm of the law to take criminals off the street. Literally.
All I know is...
If someone breaks into my house while I’m there, I’m going to take care of the problem, then call for the police and an ambulance. I wonder if you can sue someone for beating you unconscious instead of just killing you.
Re: All I know is...
play it safe, kill the scumbag, and put a knife in his hand. it was self defense with no one to disagree
Oh Really
I bet that this code only works for one particular piece of ransomware, not every piece ever written. Any script kiddie would be smart enough to get rid of/change the release code, even if they copied the entire rest of the code.
Interesting
I just think its funny that people would actually be dumb enough to get infected with some kind of ransomware.
It is not really fair to call people dumb because they get this ransomware on their computer. Keep in mind that many users are new and just are not as savvy as you and I may consider ourselves. Also, these tactics are getting slicker and slicker, so even the experienced user can fall victim to these attacks form time to time. Old people in particular get savaged by these things because they trust all system and security software based notifications (real or not), and they are the ones who are most likely to actually shell out the cash to just get rid of the problem.