7. October 2008, 18:06 | by WD Milner | Full Article |

An article that recently appeared on the website covered a story about the discovery that some cyber-criminals have obtained log in credentials for thousands of websites, compromising them and using them as a base for further attack vectors elsewhere.

The article, by Gregg Keizer, is titled “Hackers compromise thousands of Web sites”. The articles goes on to state that:

“More than a month ago Ian Amit, director of security research at Aladdin Knowledge Systems Inc., found and infiltrated a server belonging to a long-time customer of Neosploit, a hacker toolkit used by cybercriminals to launch exploits against browsers and popular Web software such as Apple Inc.'s QuickTime or Adobe Systems Inc.’s Adobe Reader.

On that server, Amit uncovered logs showing that two or three hacker gangs had contributed to a massive pool of Web site usernames and passwords. ‘We have counted more than 208,000 unique site credentials on the server,’ said Amit, ‘and over 80,000 had been modified with malicious content.’”

That stolen credentials are in the hands of criminals is not a surprise, though the numbers and variety of sites is a bit startling, but what this author finds deplorable is that this researcher has essentially broken the law by doing exactly what the criminals he is researching are doing. He broke into a private server to which he had no authorization (apparently) to access.

The article goes on to indicate that Amit is now working with various law enforcement agencies and organizations to try and mitigate the effects of these stolen credentials.

While this is a noble endeavour it is clouded, in this author’s opinion by the manner in which the material was obtained. If Mr Amit were a law enforcement officer himself he would be guilty of illegal search. As it is he is a private individual working for a commercial business who broke into a server he didn’t (in all probability) have permission to use. That’s illegal trespass.

At what point does a researcher cross the line from ethical hacker to unethical hacker? Recently a university student who accessed university systems and accounts without permission but whose motive was to show the vulnerabilities to the University Administration so they could be fixed was charged with a criminal offense. Where is the difference between what he did, and what Mr. Amit did? Granted the server ostensibly belonged to a cyber-criminal and not a university but does that make it right? Where do you draw the line?

While I despise those who misuse the technology in the manner that these cyber-criminals have, I think we must be very careful that in the pursuit of malefactors, we don’t become so caught up in the chase and intelligence gathering that we cross the line and become that which we are trying to defeat. While I can applaud Mr. Amit’s motives and diligence, I’m afraid in this author’s opinion he crossed that ever so thin line and became what he so decries.

- 30 -

Categories: ,
Keywords: cyber-crime,hacking,exploits,credentials,ethical



Textile help
* Indicates a required field.

As a SPAM prevention measure, comments are moderated and will be posted once vetted.


Article & Comments

Comments are not enabled for all articles or documents.

Article Navigation


Internet and WWW
Music and Audio
Society and Culture
Stage and Screen
Tips and Tricks
Web Design
Web Site

The Birches - Support Child Safety Online


 Help to FIGHT spam!