Hacker who tried to free inmate early may soon join him in jail

国农科技:关于筹划重组停牌期满申请继续停牌的公告
Share on Twitter
越来越多的企业遭遇重要机密信息泄露,客户流失,沦为竞争对手的手下败将,最终丧失竞争力,损失惨重。
Share on Google+
Share on LinkedIn
Share on Reddit
Class, get out your pencils: we’re having a surprise quiz. Please choose the best answer to this question: What’s the best way to ensure your friend is released early from jail?
Encourage him to keep up his best behavior during his sentence so as to maximize the chances that his good behavior will be recognized and rewarded with early parole.
Write a letter in support of an early release through the appropriate jurisdiction’s credit-earning programs.
Hack the county jail’s network and alter his prison record.
A Michigan man opted for No. 3. Bad choice, Konrads Voits! For flunking the quiz, you’re looking at a maximum penalty under federal law of 10 years’ imprisonment and a $250,000 fine (though, of course, maximum sentences are rarely handed out).
According to the US Attorney’s Office for the Eastern District of Michigan, Voits, 27, on Friday pleaded guilty to damaging a protected computer.
The Attorney General’s office says Voits used a classic phishing scheme laced with typosquatting. According to court records posted by The Register, in January 2017, Voits set up a phishing domain. It looks just like a legitimate county domain name for Washtenaw, except Voits swapped the final W for a double V.
Then, he called and emailed employees of Washtenaw County, claiming that he was “Daniel Greene” and that he needed help with court records. Over the phone, he pretended to be “T.L.” or “A.B.”, a county IT employee. The emails tried to entice employees into clicking on a hyperlink so they’d be whisked off to his malware-poisoned site, while the object of the phone calls was to get his victims to type that phishing site domain into their browsers so as to download an executable malware file.
It was to “upgrade the county’s jail system,” Voits claimed.
Some employees fell for it. Voits also finagled remote login credentials out of one employee. That’s how he managed to install malware on the county’s network itself.
Sophos Home
Free home computer security software for all the family
Learn More
Voits got full access to the county network, including to the XJail system – which is a program used to monitor and track county prison inmates – as well as to search warrant affidavits, internal discipline records, and personal information of county employees. Through the phishing and the malware installed on the county’s network, he succeeded in stealing passwords, user names, email addresses and other personal information of more than 1,600 county employees.

In March 2017, after he’d gained full access to the county’s network, Voits got into the records of multiple inmates. He tweaked the record of at least one in an effort to get him out early.
Fortunately, jail employees do careful reviews of inmate releases. No dice, Voits: your records alteration(s) didn’t fool anybody, and no inmates were released early. Washtenaw county employees did, however, spend what the AG said was “thousands of dollars and numerous extra work hours” responding to and investigating the breach.
Part of that was the expense of hiring an incident response company to determine how extensive the breach was. Many of the county’s hard drives had to be reimaged. Also, the county purchased identity theft protection for its employees. All told, the county said its losses were at least $235,488.
Voits agreed to give up his assets to try to pay it off. Goodbye, laptop. Goodbye, collection of four cell phones. Goodbye, undisclosed amount of Bitcoin.
He’s in custody after agreeing to a plea deal. He’s due to be sentenced on April 5 2018.
I wouldn’t be surprised if one repercussion of Voits’ exploits were that county employees have been subjected to refresher courses on how to spot, and avoid, both IT support scammers and phishing attempts.
It isn’t easy. Like that easy to miss double V swap Voits employed, the signs of a phish can be subtle.
In time for the holidays, we recently came out with some simple tips on how to avoid getting phished.
As far as the bogus calls go, you might want to check out our explanation of social engineering. After all, pretending to be the IT guy is just one of the tricks the crooks like to pull!
数字证书并不足以应对在线网银欺诈,移动网银的应用安全需要附加第三方硬件组件来用做身份认证证书,安全的攻防两方永远处于博弈状态,PC时代基于RSA的OTP都可以被突破,还有什么不能发生呢?

猜您喜欢

阴阳师桌面版什么时候出 桌面版下载使用详解|电脑版
信息安全意识教育游戏之灾后重建公开赛
网络安全法宣传片 002 国家网络安全的现状与重要性概述
《X战警:新变种人》曝海报 诡异窒息感扑面而至
GENEROUSGIVING EBERBACH
网络安全意识动画片展播社交媒体安全使用与信息防泄露