When Security Exploits Have Exploits

from the piling-on dept

We've talked in the past about how security software sometimes needs security software itself -- but what about security exploits? A popular scam these days among some script kiddies is to lock up important data on someone's computer unless they pay an extortion fee to release the data. Of course, it should come as no surprise that these exploits have exploits of their own... as one security firm discovered this week, releasing the universal password that will unlock your data should you happen to get caught by one of these scams. Apparently, all you need to know is: mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw. Of course, it's not surprising to find out the a script kiddie scam has exploits, but it does suggest a different kind of race for some security companies. Instead of just focusing on patches, look for ways to break the scam software itself.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    OK, 1 Jun 2006 @ 5:17pm

    I thought it was illegal and against the DCMA to reverse engineer software?

    The script kiddies could sue the security firm for this!

    reply to this | link to this | view in chronology ]

    • identicon
      Starky, 1 Jun 2006 @ 6:25pm

      Re:

      That is stupid and american. Suing because someone stopped your illegal activity.

      With that in mind, it will probably happen. Because we’re full of sue-happy idiots here in America.

      reply to this | link to this | view in chronology ]

      • identicon
        Razor's Edge, 1 Jun 2006 @ 7:14pm

        Re: Re:

        "That is stupid and american. Suing because someone stopped your illegal activity."

        While someone could file a lawsuit for this (and thus, you could say someone was sued for stopping their illegal activity), the case would undoubtedly be dismissed the second the presiding judged stopped laughing himself out of his seat.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Jun 2006 @ 5:20pm

    DMCA

    I wonder if the "ransomware" writers can sue under the DMCA's anti-circumvention provisions (well, if it was in the States).

    reply to this | link to this | view in chronology ]

    • identicon
      Razor's Edge, 1 Jun 2006 @ 7:11pm

      Re: DMCA

      "I wonder if the "ransomware" writers can sue under the DMCA's anti-circumvention provisions (well, if it was in the States)."

      No. According to the dirty hands doctrine, certain aspects of the criminal and civil laws do not apply to persons engaged in criminal activities.

      As an example, even if you sign a contract with a prostitute that says you pay her in advance for 12 'sessions' and she refuses to provide any services, you cannot sue her for breach of contract or for fraud. (Assuming this happens in the 99% of the USA that prohibits prostitution.)

      While I haven't heard of a DMCA case being dismissed or lost because of the dirty hands docrtine so far, I can pretty much guarantee that someone who commits several federal felonies will run afoul of it.

      reply to this | link to this | view in chronology ]

  • identicon
    Sean, 1 Jun 2006 @ 5:59pm

    Lovin It

    I'm loving this offensive mentality that is popping up on the net. We're not just dodging spam anymore, we're fighting back. We're not trying to prevent exploits, we're exploiting the exploits. Fighting fire with fire. I love it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Jun 2006 @ 6:13pm

    This would kinda be like saying "I was robbing a bank, and the security guard hit me on my way out, I'd like to sue him."

    reply to this | link to this | view in chronology ]

    • identicon
      ehrichweiss, 1 Jun 2006 @ 6:48pm

      Re:

      apparently if a burglar trips over your couch and breaks his ankle, he can sue you for damages in the U.S.

      who knows what would happen if they found your collection of bear traps, all armed and ready..;)

      reply to this | link to this | view in chronology ]

    • identicon
      Tim Arview, 1 Jun 2006 @ 9:20pm

      Re:

      Actually, it'd be more like suing your neighbor for tapping your phone line and overhearing you plan a bank heist, then using that information to stop you from robbing the bank by, for instance, giving the bank your description and the exact time you'll be showing up.

      The neighbor's act was illegal, but for the greater good. It's an argument of justice versus ethics.

      A security guard hitting a bank robber is well within his legal rights, and it's *mostly* ethical (it's his job and what general society expects him to do). To me, reverse engineering software (even malware) is not within anyone's legal rights, even though it may be considered ethical.

      In my opinion, justice should always win.

      reply to this | link to this | view in chronology ]

  • identicon
    Josh, 1 Jun 2006 @ 6:15pm

    Ransomware...

    A quote from my own post on the issue earlier today:

    "Maybe it’s a good thing, but in the long run, I don’t see how “ransomware” could really make it in the long run. If people are going to find work arounds to software from companies like Microsoft and Adobe with billions of dollars invested in anti-pirating efforts, I doubt even the best “ransomware” virus would last before someone cracked it."

    http://gen.newrandom.com

    reply to this | link to this | view in chronology ]

  • identicon
    OK, 1 Jun 2006 @ 7:16pm

    I know a guy in PA that shot a burglar in his home. The burglar fell down the stairs after he was shot and broke his leg. He sued the guy for medical costs, pain and suffering and emotional distress and the burglar won.
    Messed up legal system? YES

    The right to sue - Priceless

    who wants to guess how long it is before Techdirt is reporting the story of the ransomware creators suing under the DCMA?

    I say 120 days...

    reply to this | link to this | view in chronology ]

  • identicon
    rahrens, 1 Jun 2006 @ 7:33pm

    suing burglers

    Real case:

    A man was on the roof of a school in California (25+ yrs ago), in the progress of committing burglery. The roof's access ladders were protected by "Authorized personnel only" signs. He tripped over, and fell through, a skylight in the dark, landing in the building below - breaking his back. He sued, saying that the school district should have placed warning signs to alert persons on the roof to the presence of the skylight. Not only did he win, but his case went all the way to the Supreme Court, AND WAS UPHELD!!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Jun 2006 @ 11:32pm

      Re: suing burglers

      Not only did he win, but his case went all the way to the Supreme Court, AND WAS UPHELD!!
      O Rly?! Care to cite the case number (either California Supreme Court or SCOTUS)? No? Can't find it? That's because it didn't happen. Now for some crazy cases that are really happening: http://www.overlawyered.com

      reply to this | link to this | view in chronology ]

  • identicon
    Andrew Strasser, 1 Jun 2006 @ 8:43pm

    Judges

    I'd put more trust in the long arm of the law to take criminals off the street. Literally.

    reply to this | link to this | view in chronology ]

  • identicon
    Adam, 2 Jun 2006 @ 6:29am

    All I know is...

    If someone breaks into my house while I'm there, I'm going to take care of the problem, then call for the police and an ambulance. I wonder if you can sue someone for beating you unconscious instead of just killing you.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Jun 2006 @ 7:07am

      Re: All I know is...

      play it safe, kill the scumbag, and put a knife in his hand. it was self defense with no one to disagree

      reply to this | link to this | view in chronology ]

  • identicon
    |333173|3|_||3, 4 Jun 2006 @ 6:49pm

    Oh Really

    I bet that this code only works for one particular piece of ransomware, not every piece ever written. Any script kiddie would be smart enough to get rid of/change the release code, even if they copied the entire rest of the code.

    reply to this | link to this | view in chronology ]

  • identicon
    Hmm, 4 Jun 2006 @ 9:39pm

    Interesting

    I just think its funny that people would actually be dumb enough to get infected with some kind of ransomware.

    reply to this | link to this | view in chronology ]

  • identicon
    Igor, 4 Dec 2009 @ 8:21am

    It is not really fair to call people dumb because they get this ransomware on their computer. Keep in mind that many users are new and just are not as savvy as you and I may consider ourselves. Also, these tactics are getting slicker and slicker, so even the experienced user can fall victim to these attacks form time to time. Old people in particular get savaged by these things because they trust all system and security software based notifications (real or not), and they are the ones who are most likely to actually shell out the cash to just get rid of the problem.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.